Passing password in ssh
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Wed Jan 23 22:36:05 UTC 2008
Aldo Foot wrote:
>
> Controlling access to the media storing the keys and accounts is of my
> greatest concern in particular if the system is located in some other city and
> someone else admins the machine.
>
> Maybe I'm too paranoid.
>
If the remote machine must access you machine, then set it up so the
key runs one command on the local machine. If you don't trust the
administrator on the remote machine, then a pass phrase on the key
does not help, unless the administrator does not have the pass
phrase. You would probably be better off having the key on some type
of media you bring with you.
Now, if this were interactive access, then it would be different.
But if you have to pass the pass phrase as part of a script, or read
it from a file, then the only advantage is that the cracker has to
grab an extra file or two. Now, if you can arrange things so that
you do not need root access on the remote machine, then you can
create a user specifically for the access, and limit the access. If
you have to allow automated remote access, then there is no way to
make it totally safe. But you can limit the damage that can be done.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080123/53ca924b/attachment-0001.sig>
More information about the fedora-list
mailing list