Date: Fri, 25 Sep 1998 16:11:00 -0700 (PDT) From: Matthew Dillon <dillon@backplane.com> To: Mark Murray <mark@grondar.za> Cc: Brian Somers <brian@Awfulhak.org>, committers@FreeBSD.ORG Subject: Re: Security and other facilities at WC CDROM - the plan. Message-ID: <199809252311.QAA08003@apollo.backplane.com> References: <199809252001.VAA03478@woof.lan.awfulhak.org> <199809252016.WAA03537@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
:Brian Somers wrote:
:> Having a host in your known_hosts and .shosts file just allows
:> automatic key authentication (no password required). Making the same
:> connection from an IP that's not in known_hosts and .shosts is still
:> ok, but requires your pass phrase or password at login time.
:>
:> Am I missing something ?
:
:ssh-keygen; scp .ssh/identity.pub remote:~/.ssh/authorized_keys
:
:Voila!
:
:M
:--
:Mark Murray
Right. .shosts is almost as bad as .rhosts. If you use ssh-keygen
and slap a password on your private key, you can use ssh-agent and
ssh-add in your X session on your local terminal. Here's how it works:
First, if you haven't created a public key pair create one:
cd ~
mkdir .ssh
cd .ssh
ssh-keygen
Be sure to assign a password to your private key... it will ask. Don't
just hit return.
Then edit your .xinitrc or equivalent:
# --- your .xinitrc or equivalent ---
# --- this assumes csh ---
...
eval `ssh-agent -c`
/usr/X11R6/bin/fvwm2
/bin/kill $SSH_AGENT_PID
Now [re]start your X session.
In any local window, do 'ssh-add':
lander:/home/dillon> ssh-add
Need passphrase for /home/dillon/.ssh/identity (dillon@lander.backplane.com).
Enter passphrase:
Once you have entered your pass-phrase, your entire X session is now
authenticated for your public/private keypair and any ssh run from
that X session will use it without asking for the password again.
You can now ssh to any remote machine that you've put your local account's
public key (~/.ssh/identity.pub) into the remote machine's
~/.ssh/authorized-keys file.
Furthermore, ssh will *FORWARD* authentication keys. By typing in that
single password from ssh-add on your local workstation, you can now
ssh to other machines that allow your local workstation's public
key AND you can ssh from those machines to other machines that allow
your originaln workstation's public key.
This means that you do not have to type in any passwords once you've
done that single ssh-add. ssh will also forward kerberos tickets in
the same manner.
-Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809252311.QAA08003>