[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Passing password in ssh





On Jan 22, 2008 5:36 PM, Craig White <craigwhite azapple com> wrote:
On Tue, 2008-01-22 at 11:38 -0800, Aldo Foot wrote:
>
>
> On Jan 22, 2008 8:34 AM, Gijs <info boer-software-en-webservices nl >
> wrote:
>         Or you can do it the "easy" way. Use public keys without a
>         password on it.
>         You won't have to type in any password, so you won't get the
>         popup
>         anymore, and it's relatively secure.
>
> I agree. Passwordless SSH keys are _very_ insecure in my opinion.
> Just pray that the account owning they keys is not compromised...
> because then
> the floodgates are opened.
> Of course this is a non-issue if your systems are in some private net
> no exposed
> to outside traffic.
----
I'm confused by this comment.

If you use ssh keys, does it matter whose accounts is compromised? Once
the account is compromised, couldn't they just load a keylogger?

And then, ssh keys still have passwords unless the creator of the keys
decides to omit a password.

Am I missing something here?

Craig


Well, the scenario I described actually happened years ago to someone I knew.
If I create keys without a passphrase, and share the public keys between
two systems (A and B), then from system A I can log to system B by
simply saying "ssh user B". This is very convenient for cron jobs.

This is particularly risky when the systems are accessed by the general public.
How does someone finds out the username? I don't know... company phonebook,
online profiles listing first/lastname, etc.

~af


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]