Hello Ted, Your mail is very informative to me. I wonder how to define cmd to run automatically in authorized_hosts? I thought there's nothing but pub keys in authorized_hosts file.
And, do I need ssh-agent in this case? Do I need to leave passphrase blank? Thank you for your patience and kindness. > On Wed, Jan 02, 2002 at 03:15:20PM +0800, Patrick Hsieh wrote: > > I've read some doc. using ssh-keygen to generate key pairs, appending > > the public keys to ~/.ssh/authorized_hosts on another host to prevent > > ssh authentication prompt. Is it very risky? Chances are a cracker could > > compromise one machine and ssh login others without any authentication. > > use ssh-keygen to generate a new key for *every* machine, and *every* > application you want to use. In the authorized_hosts section, you limit > what a single key can do by specifying a cmd that is run automatically... > in other words, use of the key executes only the command you want, and not > simply a shell. > > That does not limit an attacker from exploiting whatever the passwordless > identity cmds you've setup, but they can't run rampant w/ root over an > entire machine. > > -- > Ted Deppner > http://www.psyber.com/~ted/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh <[EMAIL PROTECTED]> GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
