Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Mar 1999 10:28:50 -0800 (PST)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Mike Thompson <miket@dnai.com>
Cc:        Gary Gaskell <gaskell@isrc.qut.edu.au>, freebsd-security@FreeBSD.ORG
Subject:   Re: Kerberos vs SSH
Message-ID:  <199903251828.KAA00857@apollo.backplane.com>
References:  <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au> <4.1.19990325021717.0097e980@mail.dnai.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
:Matthew,
:
:Another quick question.  Under the configuration described below 
:can one system issue an ssh command from a script to another system
:without having to include a password?  We have automated scripts
:that will run nightly that will run on one server and execute commands
:on other servers using ssh.  Suppling such a password to the 
:Kerberos kinit application before using ssh in such a script will be 
:problematic. I assume this is why you mentioned your use of the 
:"authorized_keys" files for limited purposes?  Any other suggestions?
:
:Mike Thompson

    You can always use ssh's authorized_keys mechanism, in which a user ( or
    root ) on one machine gives root on another machine access via a keypair. 
    Typically, in order for this to work from cron, you cannot put a password
    on the private key, so the administrative machine from which the ssh is
    issued must be secure.

    People sometimes forget that in a typical setup, if someone steals the
    private key from machine A for which machine B has entered the public
    key in its authorized_keys file, that person can use it to ssh to 
    machine B from anywhere.  With ssh, you have to use the
    'from="fulldomainname"' option *IN* the authorized_keys file to ensure 
    that the key authenticates *AND* that it is coming from a specific client.
    e.g.

    # authorized_keys file
    #
    from="apollo.backplane.com" 1024 37 8123412340...

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903251828.KAA00857>