[CentOS] SSH Automatic Log-on Failure - Centos 5.5

Nico Kadel-Garcia nkadel at gmail.com
Thu Jan 27 07:39:29 UTC 2011


On Thu, Jan 27, 2011 at 2:03 AM, Indunil Jayasooriya
<indunil75 at gmail.com> wrote:
>
>
> On Thu, Jan 27, 2011 at 12:15 PM, Always Learning <centos at g7.u22.net> wrote:
>>
>> Hallo,
>>
>> I wanted to avoid typing-in my password every occasion I remotely
>> logged-on to a server.
>
>
>
> you expect Passwordless SSH. If so,
>
>
> On your PC
>
> # ssh-keygen -t rsa       ( passphrase should be empty )

NO!!! NO!!! NO!!! NO!!!

I'm sorry, but this is a far too comon and very, very bad practice.
You may as well tape a Post-It note with your password on it under
your keyboard, because anyone who can get this un-passphrase protected
key will be able to automatically log in as you.
The normal approach is to investigate how to use ssh-agent to store
your unlocked key in an active session, not use a passphrase-less key.
The "keychain" utiliti is very handy for just this purpose, and it's
available in the RPMforge repositories for RHEL 5 and CentOS 5.

Far too many people say "but you have to trust your own machine!!!"
and leave these passphrase-less keys lying around, and they're a
popular vulnerability for crackers to steal if they can gain *any*
access to your systems. It's particularly bad in environments that use
NFS and allow local hosts to be run by local users: any such local
admin can then "su" to become other users and access their private
keys.

Also, there's a stack of reasons that DSA is preferred to RSA for SSH
keys these days. When you generate your private keys, use "ssh-keygen
-t dsa", not rsa.

> Generating public/private rsa key pair.
> Enter file in which to save the key (/root/.ssh/id_rsa):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
>
> then,
>
> # cd /root/.ssh/
>
> Pls scp id_rsa.pub to the Server
>
> # scp id_rsa.pub root at server:/root/.ssh/authorized_keys

Wrong again. Never use public key access for root accounts, it simply
compounds the security risks. Passphrase protected SSH keys can be
used, reasonably, for account access on other hosts, but should be
avoided for root access. If you *HAVE* to use an SSH key for root, for
example for "rsync" based backup operations, use rssh to restrict its
operations or designate a permitted command associated with that key
in the target's authorized_keys.
>
> then, finally ssh to the server from your PC. it would be passwordless.
> pls see below

Sadly, this will *work*, but so does tying your car keys to your car
door so you don't lose them. It's a security issue.

Please, read the manual pages on "ssh-agent" which was designed and
built into SSH deployments for just such use.



More information about the CentOS mailing list