On 14/02/06, Barry Brimer barry.brimer@bigfoot.com wrote:
Right now I use passwords for some ssh connections, and passwordless ssh for crontab rsyncs, using passwordless rsa keys. (When it asked to enter a password for ssh-keygen I just hit enter). Does this leave me vulnerable? Is there a how-to on this that explains how to use ssh-agent with keys with passes?
I recommend Keychain http://www.gentoo.org/proj/en/keychain/. With keychain, you can log in and unlock your keys and allow your ssh communications to use them as needed. You do have to unlock them after each reboot.
As Barry says, Keychain is very useful, especially for situations where you want a script to connect to another system unattended but want to avoid passwordless keys. There were some decent how-tos on IBM Developerworks ages ago...
http://www.ibm.com/developerworks/library/l-keyc.html http://www.ibm.com/developerworks/library/l-keyc2/ http://www.ibm.com/developerworks/linux/library/l-keyc3/?Opent=grl,l=929,p=K...
I believe some of the options Keychain accepts have have changed since the article was written but it's still useful.
I have SSHd setup similarly to...
<---------------------------------------------------------------------> Port 2220 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key SyslogFacility AUTHPRIV StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PasswordAuthentication no X11Forwarding yes <--------------------------------------------------------------------->
In scripts which require the facility to connect "passwordlessly" to other hosts generate a new keypair with a strong password for the user the script will run as. In one of the user's initialisation scripts (.bashrc/.bash_profile) add the following...
keychain --clear --nogui id_rsa
And then in the script itself source the keychain agent authentication details...
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh
Anyone logging into the system as the user will need to enter the password for the keypair to see/use the ssh-agent authentication information but scripts will be able to use it without intervention.
Will.