Re: Remote administration of a server

To: debian-user@lists.debian.org
Subject: Re: Remote administration of a server
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Wed, 13 Jul 2005 00:02:40 -0700
Message-id: <[🔎] 20050713070240.GA26783@localhost>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <Pine.LNX.4.61.0506091955280.3104@mimosa.opentrend.net>
References: <42F55779.6030802@gmail.com> <Pine.LNX.4.61.0506082058100.3104@mimosa.opentrend.net> <42A6C022.2050203@gmail.com> <Pine.LNX.4.61.0506090921060.3104@mimosa.opentrend.net> <42A85227.8040906@ix.netcom.com> <Pine.LNX.4.61.0506091815010.3104@mimosa.opentrend.net> <20050609233757.GB22611@miami.familiasanchez.net> <Pine.LNX.4.61.0506091955280.3104@mimosa.opentrend.net>

on Thu, Jun 09, 2005 at 08:02:06PM -0400, Robert Brockway (rbrockway@opentrend.net) wrote:
> On Thu, 9 Jun 2005, Roberto C. Sanchez wrote:
> 
> > Sadly, most people (myself included) have no passphrase on their SSH
> 
> Hi.  Using PKI with no passphrase drops the level of security 
> significantly (as I'm sure you know).
> 
> > keys.  I also end up bouncing aroud a variety of machines (some Fedora
> > some Windows with PuTTY and some Windows with SSH.com).  So the key
> > thing is a pain in the but.  At least on the Linux machines it is
> > straightforward and I set those up when I can to use keys instead of
> > passwords.
> 
> May I introduce you to ssh-agent and ssh-add.  They are a standard part of 
> ssh and will operate between implementations (as long as no one has broken 
> their implementation).
> 
> This is the last line of my ~/.xsession file:
> 
> ssh-agent bash -c "ssh-add < /dev/null && /usr/bin/fvwm2"

If you're starting X under Debian via a display manager (gdm, kdm, wdm,
xdm, etc.), you're already running ssh-agent.  Check your environment,
or look at /etc/ssh-* (the directory pattern used for the authorization
socket).  I've found most other distros are now doing this as well.

Accessing ssh-agent is now as simple as "ssh-add" in a terminal, to feed
your password to the agent.

> After entering my passphrase as part of the login process[1] I can ssh
> to boxes all over the world without so much as entering my passphrase
> and I'm doing it securely.  Of course you need to keep your session
> secure if you are doing this (and I certainly do).

You can also revoke a password (temporarially) from an agent:

   $ ssh-add -D         # Deletes all identities from the agent
   $ ssh-add -x         # lock agent with password
   $ ssh-add -X         # unlock agent.
   $ ssh-add -t <life>  # Specify lifetime of identities (in seconds)

Remember:  there are 60 seconds in a minute, 3600 seconds in an hour,
and 86,400 seconds in a day.  Which I know from memory (nine months
spent working with 24-hour, seconds-resolution data....).  604,800
seconds to a week, 2,419,200 seconds per 28 day "month", and 31,536,000
seconds per (standard) year, I have to calculate still....

ssh, RSA authentication, & ssh-agent are lifesavers.  Add to them
rsync (a fast, efficient, flexible file transfer protocol), screen (a
detachable terminal multiplexer), and mc (a curses-based file manager on
steroids, including the ability to transfer files back and forth) and
you've got the makings of highly doable remote admin.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Necessity knows no law.

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: Codecs locations in filesysten
Next by Date: Re: New to debian
Previous by thread: Single package mirror with its dependencies
Next by thread: alias strange problem
Index(es):
- Date
- Thread