Date: Thu, 25 Mar 1999 10:28:50 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Mike Thompson <miket@dnai.com> Cc: Gary Gaskell <gaskell@isrc.qut.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <199903251828.KAA00857@apollo.backplane.com> References: <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au> <4.1.19990325021717.0097e980@mail.dnai.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:Matthew, : :Another quick question. Under the configuration described below :can one system issue an ssh command from a script to another system :without having to include a password? We have automated scripts :that will run nightly that will run on one server and execute commands :on other servers using ssh. Suppling such a password to the :Kerberos kinit application before using ssh in such a script will be :problematic. I assume this is why you mentioned your use of the :"authorized_keys" files for limited purposes? Any other suggestions? : :Mike Thompson You can always use ssh's authorized_keys mechanism, in which a user ( or root ) on one machine gives root on another machine access via a keypair. Typically, in order for this to work from cron, you cannot put a password on the private key, so the administrative machine from which the ssh is issued must be secure. People sometimes forget that in a typical setup, if someone steals the private key from machine A for which machine B has entered the public key in its authorized_keys file, that person can use it to ssh to machine B from anywhere. With ssh, you have to use the 'from="fulldomainname"' option *IN* the authorized_keys file to ensure that the key authenticates *AND* that it is coming from a specific client. e.g. # authorized_keys file # from="apollo.backplane.com" 1024 37 8123412340... -Matt Matthew Dillon <dillon@backplane.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903251828.KAA00857>