Date: 02 Jun 2005 16:19:59 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: freebsd-questions@freebsd.org Subject: Re: can't figure out ssh, read lots of docs... Message-ID: <44k6lc4ikw.fsf@be-well.ilk.org> In-Reply-To: <20050602170709.GA3507@orion.daedalusnetworks.priv> References: <20050602161621.GB2778@orion.daedalusnetworks.priv> <000101c56794$ab00e330$144da8c0@rtxnetworks.local> <20050602170709.GA3507@orion.daedalusnetworks.priv>
next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Keramidas <keramida@ceid.upatras.gr> writes: > On 2005-06-02 18:01, Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> wrote: > >Giorgos Keramidas <keramida@ceid.upatras.gr> writes: > >>On 2005-06-02 10:38, Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> wrote: > >>> The original poster wanted to do automated backups via scp. This > >>> kind of application *requires* empty passphrases > >> > >> Nope. scp works fine with a pass-phrase too, if one uses ssh-agent > >> properly, regardless of the remote user being root or not. > > > > You're recommending leaving an ssh-agent instance running unattended > > instead of having a passphrase-less key? > > Not really. In fact, this was exactly what I said is a "bad idea" in a > previous post. Okay, so how *do* you apply the agent approach to automated operation? The "automated" process only works when the operator is present? > > That just means you have to protect the agent's socket as carefully as > > you would have to protect the unencrypted key file. > > For only as long as the agent process is alive. Which is usually a lot > less than "forever" -- the time for which an unencrypted key which also > exists in authorized_keys works. > > > You are right: there *are* ways to give access to the key other than > > empty passphrases. The only real disadvantage of the agent approach > > is that the key becomes inaccessible when the system reboots. > > Exactly (or when I issue `pkill ssh-agent'). That can be a *huge* disadvantage. For my home network, I'm willing to have operator intervention required to do a backup. But I wouldn't recommend that approach for a commercial operation.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44k6lc4ikw.fsf>