|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Pros and cons of key-pair based vs password based SSH...
|
> Date: Wed, 10 Jun 2009 22:40:08 -0400
> From: zuzu <sean.zuzu@gmail.com>
> dug this out of my archives:
>
> ssh-keychain:
> http://www.gentoo.org/proj/en/keychain/index.xml
>
> http://www-128.ibm.com/developerworks/linux/library/l-keyc.html
> http://www-128.ibm.com/developerworks/linux/library/l-keyc2/
+5 for keychain, with caveats. Also, it's in the Debian & Ubuntu repos,
but is just a big shell script anyway. One of the longest recipes in
the _bash Cookbook_ is about keychain, just because it's so cool and the
docs explain the issues so well, so I got permission to excerpt and
include a lot of them.
Sidebar: the ssh-agent is the tool that you are supposed to use to allow
you to password protect your key file(s) but still have "passwordless"
connections. However, while very elegant and efficient, ssh-agent is
one of the least intuative tools I've seen. Keychain mostly makes that
all better.
BUT... By default keychain is like an old DOS TSR, it will "terminate
and stay resident" until you kill it or the machine reboots (yes, even
if you log out!). That's good for using in cron and scripts, but be
aware that anyone who can become you (i.e., root or if you leave a
terminal open) can now--passwordlessly--be you in other places too. You
have been warned. You can make it not do that in various ways, RTFM.
I don't have passwordless key files, so for me, keychain makes life so
much easier than just raw ss-agent that I'd use in in place of ssh-agent
anyway. I actually do need to use in in a cron job from time to time as
well.
> Date: Wed, 10 Jun 2009 23:06:57 -0400
> From: "Paul L. Snyder" <plsnyder@drexel.edu>
>
> Actually, it's possible to get remote tab completion using password-based
> authentication (without, in fact, typing your password every time) if you
> enable the 'ControlMaster' option in your ssh_config. This sets ssh up to
> use connection multiplexing.
>
> Thus, open an ssh session to the remote host, and as long as at least one
> session remains open you won't have to authenticate other sessions to the
> same host (including the transient ones for completion). Also, this makes
> opening multiple connections faster, too, as the subsequent ones don't have
> to reauthenticate (making this good for pubkey auth, as well).
>
> One thing to note is that if the ssh session doesn't shut down cleanly you
> might have to wipe the contents of your ControlPath directory before
> multiplexing will work again.
Wow, I've been a big fan of SSH for years, but I've never noticed that
one and I end up doing stuff like that a lot. VERY cool, thanks!
Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| http://bashcookbook.com/
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|