[olug] SSH public/private keys
Christopher Cashell
topher at zyp.org
Wed Nov 12 00:13:30 UTC 2003
At Tue, 11 Nov 03, Unidentified Flying Banana Eric Penne, said:
> Here is a little howto on using ssh without a password to log in to places.
[Snip: Instructions on setting up SSH with RSA/DSA key authentication.]
> I log off of olug.org then I try to log back into olug.org and presto! I
> don't need a password.
Hrm. . . I think you're missing a step, here. My experience is that you
need to use ssh-agent[1] in order to bypass entering a password each
time you login to a new machine.
Using RSA/DSA keys allows you access to an account without using/knowing
the actual account password, but it does still require you to know the
password for the RSA/DSA key.
The only other way around entering a password each time (without using
ssh-agent) that I know of would be to use an empty (blank) password when
you create the SSH RSA/DSA key. In my opinion, this would be a Very Bad
Idea (tm).
> Back to security. Remember that you don't want to leave the account that
> has your private key (.ssh/id_dsa) open to anybody or they could use that
> to login to the server without the password. You should probably
> periodically change these keys. It isn't that hard and it saves a lot of
> typing if you login to a certain machine many times.
Proper use of SSH RSA/DSA keys should be fairly secure. You shouldn't
have to change the key for a very long time, provided you ensure that
your private key is not accessible. Changing the password on your
private key is, of course, a good idea, and should be done regularly.
> Eric Penne
[1] ssh-agent is like a password cache for SSH. You start it up,
frequently as part of a login script, and then use 'ssh-add' to
tell it about an SSH key and the corresponding password. From that
period on, any requests for that SSH key will be handled.
--
| Christopher
+------------------------------------------------+
| A: No. |
| Q: Should I include quotations after my reply? |
+------------------------------------------------+
More information about the OLUG
mailing list