Passing password in ssh

Mikkel L. Ellertson mikkel at infinity-ltd.com
Wed Jan 23 02:09:52 UTC 2008


Aldo Foot wrote:
> 
> I agree. Passwordless SSH keys are _very_ insecure in my opinion.
> Just pray that the account owning they keys is not compromised... 
> because then the floodgates are opened.
> Of course this is a non-issue if your systems are in some private net no 
> exposed to outside traffic.
>  
While there is a security risk in using a passwordless SSH key, it 
is less of a risk then most of the other ways of doing it. This is 
especially true if root owns the key, and/or the key is limited to 
specific commands on the remote machine. It is definitely more 
secure then trying to provide the password as part of the command 
line, and about as secure as providing the password in a batch file. 
You also have the option of limiting the host(s) the key works from. 
There are also things you can do with known-hosts to add even more 
security, but you get the idea.

While having a pass phrase (not password) on a ssh key is normally a 
good idea. But if you need to connect to a remote machine as part of 
a cron job, a key without a pass phrase, if set up properly, is not 
that big of a security risk.

Mikkel
-- 

   Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080122/4c36d391/attachment-0001.sig>


More information about the fedora-list mailing list