[ale] automating ssh script

Michael Hirsch mhirsch at nubridges.com
Tue Jul 30 10:09:33 EDT 2002 

On Mon, 2002-07-29 at 17:56, Keith Hopkins wrote:
> Michael Hirsch wrote:
> > On Mon, 2002-07-29 at 07:56, Keith Hopkins wrote:
> > 
> >>Hey Drew, (take 2!)
> >>
> >>    This seems like a no-brainer to me.  Just to confirm that, I tried it myself,
> >>and it worked (no passphrase prompt, no password prompt.)
> >>
> >>    First question...when you are generating the keys (type 1 or 2), what are you
> >>entering for the "Enter passphrase" prompts?  You should hit Enter
> >>twice without typing anything.  Anything you type here will be 
> >>prompted for at login.
> > 
> > 
> > This is a bad idea.  What he is trying to do is to enable typing in the
> > passphrase once wen running ssh-agent, then not needing to run it again.
> 
> Why is it a bad idea?  Your private key is like a real key, it will open
> the door that it fits.  It is safe (without a passphrase) as long as
> you don't give it away.  Also like a real key, it can be lost or
> stolen, and this is where a passphrase can give you some added
> protection.  What I don't know, and maybe someone can enlighten 
> me....if someone hacks my system and steals my private key, and steals
> all the ssh-agent information, will that not also give them the same
> capability as if they had the passphrase?

Nope.  If someone steals your secret keys and they don't need a pass
phrase, they can impersonate you anywhere and anytime.  If they steal
your secret keys but they do need a passphrase, then they still need to
crack the passphrase.

You are right that if ssh-agent is running there is a wider opening than
if not.  If someone is able to become your user then they can connect to
your ssh-agent.  While connected, they can impersonate you.  But if you
kill the agent then they can't be you any longer.

So it is a question of "layers of security".  Without a passphrase there
is only one layer--your secret key.  Once the key is stolen you cannot
prevent impersonation.  With a passphrase, even after the key is stolen
you cannot be impersonated at will.

> 
> I'm not understanding what you mean by "not needing to run it again"....
> it seems you always have to have ssh-agent running.

Sorry, I meant "typing it in again".  I run ssh-agent when I start X.  I
only have to enter my passphrase once.  Then I don't need to ever think
about my password or passphrase untill the next time I log in.

--Michael


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list