From owner-freebsd-security Wed Jun 12 8:45:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 29E8737B40C for ; Wed, 12 Jun 2002 08:45:05 -0700 (PDT) Received: (qmail 76707 invoked by uid 1000); 12 Jun 2002 15:44:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Jun 2002 15:44:55 -0000 Date: Wed, 12 Jun 2002 08:44:54 -0700 (PDT) From: Jason Stone X-X-Sender: To: Matt Piechota Cc: Aragon Gouveia , Subject: Re: ssh questions In-Reply-To: <20020612105149.M36620-100000@cithaeron.argolis.org> Message-ID: <20020612083746.E28555-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > This is a rather poorly written expect script that I use to tar up a cvs > > > tree on a computer in a rather restrictive lab. > > > > I haven't been following this thread, but wouldn't key authentication be > > easier, securer, more reliable? > > It uses keys, but the keys have a password on them. It really isn't all > that good either way: one way I have passwords laying about, the other I > have passwordless keys that are nearly as dangerous. Place restrictions on the keys in the authorized_keys file on the server. For example, you can set it up such that the key can only be used to copy one particular file, and can only be used from one well-known client ip address. This makes unencrypted keys much safer, and is clearly more secure than having the unencrypted and unrestricted password in the clear on the client. And . The openssh-dev list (openssh-unix-dev@mindrot.org) is probablly a better place for this kind of discussion. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9B2x3swXMWWtptckRAou8AKDMpHsLGBjNG3H+MSYVC9fFR97BCgCgiNci gbg3iNiAgUo2jludEY3xIQU= =Eju3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message