gabriel rosenkoetter on Wed, 05 Feb 2003 09:10:35 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Perl question


On Tue, Feb 04, 2003 at 08:50:00PM -0500, Tobias DiPasquale wrote:
> What you need is ssh-agent(1). This can store the password for you so
> the Perl script won't need to respond to the prompt (because it won't be
> prompted, as the agent will reply behind the scenes with the correct
> password). Check it out.

It's may be seen as nitpicking, but it's kind of an important
distinction that that is NOT what an SSH agent does. The point is
precisely not to authenticate to the remote host using a shared
secret (a password). Rather, SSH agents use a public/private key
pair, which you can use just fine without the agent, of course (see
ssh-keygen(1)). The agent merely requests your passphrase to
unencipher your private key so that it does not need to later ask
for that passphrase again when authenticating to the remote host.

For the purposes of authenticating an automated process, you want to
use an account on the remote host with access limited to precisely
what it needs to do and a null-passphrased key (just hit enter when
asked for a passphrase by ssh-keygen(1)). You can limit what
command(s) a given key can perform in ~/.ssh/authorized_keys on the
remote host, and doing so would be a good idea (setting up a
pseudo-user account for the purpose AS WELL would be an even better
one).

On Tue, Feb 04, 2003 at 08:53:30PM -0500, Eugene Smiley wrote:
> epike wrote:
> > the idea is to store your private key
>                             ^^^^^^^
> Okay.
> 
> > on your local server, and store
> > the private key on the remote server---no
>       ^^^^^^^
> Maybe I am confused. Shouldn't this be public key or does ssh use symmetric
> encryption?

No, I have to assume epike mis-typed. The private key should never
leave your possession, virtually or physical. Leaving it on the hard
drive of a system shared with others isn't even the best of ideas.
(My keys that let me into places as a regular user I keep on
workstations, my keys that let me into places as root are on a
floppy that travels with me.)

The part of the key on the server is, just as you would expect, a
public key.

You can't, in any proper sense, use symmetric encryption for
authentication. Even when you authenticate with a shared secret, the
connection across which you do so is enciphered by way of the ssh
server's host public/private key.

On Tue, Feb 04, 2003 at 10:27:19PM -0500, Chris Hedemark wrote:
> Don't bother using passwords at all.  Use keys.  OpenSSH has all the 
> tools to do it, and there is a perl module to work with scp directly 
> (Net::SCP) at http://search.cpan.org/author/IVAN/Net-SCP-0.06/SCP.pm

Net::SSH and Net::SFTP also exist. The Net::SFTP interface looks to
be a pretty clean port from Net::FTP, if you're thinking about
transitioning existing scripts, though I haven't played with it
enough to see the kinks.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpnzXXv30ALG.pgp
Description: PGP signature