sean finney on 22 Oct 2011 09:43:26 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Setting up SSH public key on OSX |
Hiya, On Thu, Oct 20, 2011 at 12:37:25PM -0400, Paul Walker wrote: > I'm trying to set up a public key to connect to SSH using public key > authentication to improve my Git workflow.... > > The remote server is Ubuntu 10.0.4. > I generate the keys with the command: > > ssh-keygen -t rsa -C "root@mydomain.com" > > > press return three times, then am pasting the contents of id_rsa.pub into a > newly created authorized_keys file in ~/.ssh/ on my local machine running > OSX... I'm going to say a thing or two because I haven't seen anyone else do it, and i think it's prudent... first, put a passphrase on your private key. if you want passwordless ssh, learn how to set up ssh-agent (or some mac keyring equivalent). without a password, anyone who gets access to your machine instantly has full acccess to that key and thus the remote account. second, given the comment you put with the key, i'm going to make the assumption that you're pushing stuff as root, which is also another big NO-NO. Instead you should use either a personal account or better, a dedicated "git" account with no other special privileges, to own the gits. Then for bonus points, there's a lot of other neat things you can do with your remote authorized_keys file, to *really* lock it down. for example, forcing a specific command, only allowing certain host/network blocks, block port forwarding, pty allocation, etc. This might go a bit into advanced territory, but it's possible to even set up keypairs that can *only* be used for git push/pull commands. You might consider this overkill, I guess that's subjective, but it's definitely good practice to understand how the tools can be used safely. The difference in damage-control is pretty significant, anyway... sean ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug