[ale] SSH password

Ken Kennedy kkennedy at kenzoid.com
Fri Feb 8 10:44:18 EST 2002


On Thu, Feb 07, 2002 at 08:36:38PM -0500, James CE Johnson wrote:
> > 
> >    Is there any way to store a password to a certain host in a config 
> > file such that you can ssh to that host without specifying a password??
> 
> Sure. Use ssh-keygen to generate your public/private key but don't
> put a passphrase on 'em. Then put the contents of identity.pub into
> ~/.ssh/authorized_keys on every system you want to login to.
> 

Yikes!! You've thrown away quite a bit of the security of keygen
there. If anyone ever hacks into your localbox, they automatically
have access to all remote machines that use that key. 

Create your key, but put a password on it. Use ssh-agent to cache
(securely) your decrypted private keys.

I realize the allure of "no password" authentication. It makes things
like scripts to scp (secure copy) files, etc. very easy. But take a
look at:

http://www-106.ibm.com/developerworks/linux/library/l-keyc2/?dwzone=linux

This article on OpenSSH key mgmt includes an EXCELLENT bash script called
"keychain" that, in conjunction with ssh-agent, gives you basically
all of the flexibility of "no password" keys, without the
disadvantages. Plus, that article and it's predecessor (it's part 2)
are an excellent introduction into the use of OpenSSH in general. 

-- 

Ken Kennedy	| http://www.kenzoid.com	| kenzoid at io.com

 PGP signature




More information about the Ale mailing list