Passing password in ssh
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Wed Jan 23 02:33:29 UTC 2008
Aldo Foot wrote:
>
> Well, the scenario I described actually happened years ago to someone I
> knew.
> If I create keys without a passphrase, and share the public keys between
> two systems (A and B), then from system A I can log to system B by
> simply saying "ssh user at B". This is very convenient for cron jobs.
>
> This is particularly risky when the systems are accessed by the general
> public.
> How does someone finds out the username? I don't know... company phonebook,
> online profiles listing first/lastname, etc.
>
You do know that you first have to get the private key of the key
pair, right? So you have to crack user at A's account, at least to the
point of getting the private key. Remember, the key will not work
unless it is only readable by the user. The .ssh directory also
needs to be set this way. So just being able to log into machine A
is not enough. You also need access to the private key.
But even having a pass phrase does not help if someone uses dumb
passwords. Things like first name as user name, and last name as
password. Then they use their full name as the pass phrase on the
key. Or is machine B lets you ssh in using username/password, and
you have a user like this. The key is to use the tools responsibly.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080122/1b6e9453/attachment-0001.sig>
More information about the fedora-list
mailing list