On Mon, Jun 11, 2007 at 12:55:22AM -0400, Roberto C. Sánchez wrote: > On Sun, Jun 10, 2007 at 10:35:56PM -0600, Telly Williams wrote: > > > > When you talk about logging into the computer without a password, > > are you talking about SSH? If so, how do you handle doing that in, say, > > an internet cafe? Thanks. ~Telly > > > Yes, I am talking about ssh without a password. To answer the question > about the Internet café, I would say “don't.” Something like a one-time > password would be best since it is an untrusted environment. > just to add .02 to this thread: I'f I know I'm going to be SSH'ing in from a machine that is not in my .ssh/authorised_keys, then I will turn on password authentication (with a suitably strong password) and restart SSH just before I head out to whatever location that is. When I get there, the first thing I'll do is generate an rsa key, use ssh-copy-id to send that key to my machine, log in and then restart ssh without password login. It only takes a minute, and then I'm in and resecured. This combined with fail2ban or other measures control dictionary attacks should be pretty secure. Also, if its a one time deal, i think you can just restart ssh without password authentication and the current connection will stay alive until you exit. That would give you the one login and then when you done, the machine is secured. I wonder, can you call scripts as part of ssh login? I don't think so. But you could build a lovely little test into your .profile or .bashrc or whatever to detect how you've logged in -- if you've logged in through ssh, it could grep sshd_config for the state of password authentication and then if its on, turn it off and restart the daemon. That would give you an automatic one time login with a password. A
Attachment:
signature.asc
Description: Digital signature