Date: Sat, 26 Sep 1998 04:52:37 +0800 From: Peter Wemm <peter@netplex.com.au> To: Mark Murray <mark@grondar.za> Cc: Brian Somers <brian@Awfulhak.org>, committers@FreeBSD.ORG Subject: Re: Security and other facilities at WC CDROM - the plan. Message-ID: <199809252052.EAA04519@spinner.netplex.com.au> In-Reply-To: Your message of "Fri, 25 Sep 1998 22:16:27 %2B0200." <199809252016.WAA03537@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote: > Brian Somers wrote: > > Having a host in your known_hosts and .shosts file just allows > > automatic key authentication (no password required). Making the same > > connection from an IP that's not in known_hosts and .shosts is still > > ok, but requires your pass phrase or password at login time. > > > > Am I missing something ? > > ssh-keygen; scp .ssh/identity.pub remote:~/.ssh/authorized_keys Or, even more perverse^H^H^H^H^H^H^Hbetter: ssh-agent startx in an xterm window: ssh-add (type your passphrase) And then from that point onwards, your passphrase is cached and tunneled. It is stored in memory on your server and it receives remote challenges for authentication, even chained several times onwards. So, from some other xterm: ssh freefall.freebsd.org freefall% ssh-add -l >> ~/.ssh/authorized_keys (works now, you'll need a password first time around to get the initial public key. Once the passwords are deleted, the authorized_keys has to be set up some other way). Assuming you have your public key on your own machine's authorized list: freefall% scp filename yourmachine:/tmp freefall% scp yourmachine:/somefile /tmp etc. All this is authenticated via the ssh agent tunnel. Your private key is never stored on disk in an unencrypted form, and even though it's in memory it never leaves your home machine. home% setenv CVS_RSH ssh home% setenv CVSROOT you@freefall.freebsd.org:/home/ncvs home% cvs checkout ..something... and so on. This is a long description, but is really *really* convenient once you get the hang of it and have set your authorized_keys files. .shosts is a very poor second best. Don't use it if you can avoid it. It's better than .rhosts, but not as safe (or convenient) as key based authentication. And key authentication is hostname independent, you can take your key anywhere (so make sure it's got a passphrase on it! - just like pgp!) and use it from any host. .shosts can't match that. Cheers, -Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809252052.EAA04519>