Passing password in ssh

Aldo Foot lunixer at gmail.com
Wed Jan 23 22:38:41 UTC 2008 

2008/1/22 Mikkel L. Ellertson <mikkel at infinity-ltd.com>:

> Aldo Foot wrote:
> >
> > Well, the scenario I described actually happened years ago to someone I
> > knew.
> > If I create keys without a passphrase, and share the public keys between
> > two systems (A and B), then from system A I can log to system B by
> > simply saying "ssh user at B". This is very convenient for cron jobs.
> >
> > This is particularly risky when the systems are accessed by the general
> > public.
> > How does someone finds out the username? I don't know... company
> phonebook,
> > online profiles listing first/lastname, etc.
> >
> You do know that you first have to get the private key of the key
> pair, right? So you have to crack user at A's account, at least to the
> point of getting the private key. Remember, the key will not work
> unless it is only readable by the user. The .ssh directory also
> needs to be set this way. So just being able to log into machine A
> is not enough. You also need access to the private key.
>

You are correct. My worst nightmare does not include stealing the private
key. But simply cracking into a user's account who has access to several
systems containing the keys.

Worst scenario is when someone brakes into a system gains root access
and does "su - user" to such account and by looking into the .shosts tries
his luck to other systems.


>
> But even having a pass phrase does not help if someone uses dumb
> passwords. Things like first name as user name, and last name as
> password. Then they use their full name as the pass phrase on the
> key. Or is machine B lets you ssh in using username/password, and
> you have a user like this. The key is to use the tools responsibly.


Bingo!  There lies my problem.

Perhaps a good practice is to configure accounts such as those for
cron jobs to use only specific commands.
Does anyone reading this thread uses such setup?
I'll play with this a bit.


>
> Mikkel
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080123/c8d41afc/attachment-0001.htm>

More information about the fedora-list mailing list