JP Vossen on 11 Jun 2009 12:47:32 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Pros and cons of key-pair based vs password based SSH...

> Date: Wed, 10 Jun 2009 22:40:08 -0400
> From: zuzu <>

> dug this out of my archives:
> ssh-keychain:

+5 for keychain, with caveats.  Also, it's in the Debian & Ubuntu repos, 
but is just a big shell script anyway.  One of the longest recipes in 
the _bash Cookbook_ is about keychain, just because it's so cool and the 
docs explain the issues so well, so I got permission to excerpt and 
include a lot of them.

Sidebar: the ssh-agent is the tool that you are supposed to use to allow 
you to password protect your key file(s) but still have "passwordless" 
connections.  However, while very elegant and efficient, ssh-agent is 
one of the least intuative tools I've seen.  Keychain mostly makes that 
all better.

BUT...  By default keychain is like an old DOS TSR, it will "terminate 
and stay resident" until you kill it or the machine reboots (yes, even 
if you log out!).  That's good for using in cron and scripts, but be 
aware that anyone who can become you (i.e., root or if you leave a 
terminal open) can now--passwordlessly--be you in other places too.  You 
have been warned.  You can make it not do that in various ways, RTFM.

I don't have passwordless key files, so for me, keychain makes life so 
much easier than just raw ss-agent that I'd use in in place of ssh-agent 
anyway.  I actually do need to use in in a cron job from time to time as 

> Date: Wed, 10 Jun 2009 23:06:57 -0400
> From: "Paul L. Snyder" <>
> Actually, it's possible to get remote tab completion using password-based
> authentication (without, in fact, typing your password every time) if you
> enable the 'ControlMaster' option in your ssh_config.  This sets ssh up to
> use connection multiplexing.
> Thus, open an ssh session to the remote host, and as long as at least one
> session remains open you won't have to authenticate other sessions to the
> same host (including the transient ones for completion).  Also, this makes
> opening multiple connections faster, too, as the subsequent ones don't have
> to reauthenticate (making this good for pubkey auth, as well).
> One thing to note is that if the ssh session doesn't shut down cleanly you
> might have to wipe the contents of your ControlPath directory before
> multiplexing will work again.

Wow, I've been a big fan of SSH for years, but I've never noticed that 
one and I end up doing stuff like that a lot.  VERY cool, thanks!

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --