Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Sep 1998 16:11:00 -0700 (PDT)
From:      Matthew Dillon <dillon@backplane.com>
To:        Mark Murray <mark@grondar.za>
Cc:        Brian Somers <brian@Awfulhak.org>, committers@FreeBSD.ORG
Subject:   Re: Security and other facilities at WC CDROM - the plan. 
Message-ID:  <199809252311.QAA08003@apollo.backplane.com>
References:  <199809252001.VAA03478@woof.lan.awfulhak.org>  <199809252016.WAA03537@gratis.grondar.za>

next in thread | previous in thread | raw e-mail | index | archive | help
:Brian Somers wrote:
:> Having a host in your known_hosts and .shosts file just allows 
:> automatic key authentication (no password required).  Making the same 
:> connection from an IP that's not in known_hosts and .shosts is still 
:> ok, but requires your pass phrase or password at login time.
:> 
:> Am I missing something ?
:
:ssh-keygen; scp .ssh/identity.pub remote:~/.ssh/authorized_keys
:
:Voila!
:
:M
:--
:Mark Murray
 
    Right.  .shosts is almost as bad as .rhosts.  If you use ssh-keygen
    and slap a password on your private key, you can use ssh-agent and 
    ssh-add in your X session on your local terminal.  Here's how it works:

    First, if you haven't created a public key pair create one:

cd ~
mkdir .ssh
cd .ssh
ssh-keygen

    Be sure to assign a password to your private key... it will ask.  Don't
    just hit return.

    Then edit your .xinitrc or equivalent:

# --- your .xinitrc or equivalent ---
# --- this assumes csh ---
...
eval `ssh-agent -c`
/usr/X11R6/bin/fvwm2
/bin/kill $SSH_AGENT_PID

    Now [re]start your X session.

    In any local window, do 'ssh-add':

lander:/home/dillon> ssh-add
Need passphrase for /home/dillon/.ssh/identity (dillon@lander.backplane.com).
Enter passphrase: 

    Once you have entered your pass-phrase, your entire X session is now 
    authenticated for your public/private keypair and any ssh run from
    that X session will use it without asking for the password again.

    You can now ssh to any remote machine that you've put your local account's
    public key (~/.ssh/identity.pub) into the remote machine's 
    ~/.ssh/authorized-keys file.

    Furthermore, ssh will *FORWARD* authentication keys.  By typing in that
    single password from ssh-add on your local workstation, you can now
    ssh to other machines that allow your local workstation's public 
    key AND you can ssh from those machines to other machines that allow
    your originaln workstation's public key.

    This means that you do not have to type in any passwords once you've
    done that single ssh-add.  ssh will also forward kerberos tickets in
    the same manner.

							-Matt




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809252311.QAA08003>