On Sat, Feb 01, 2003 at 12:57:08PM -0800, nate wrote: > will trillich said: > > > at what point are the passphrases required? if passwordless > > login/scp is the objective, where are the passphrases used? > > ssh-agent is designed to prompt you for your passphrase, then > it stores it in memory, and automatically 'inputs' it when you > connect. That is until you logout or reboot or something. I > have never used ssh-agent myself. for my personal account I > use SSH w/passphrase and just input it every time. I use > passphrase-less keys for mostly non interactive stuff.
afaik ssh-agent stores the key in memory, not the passphrase (you never
give ssh-agent the passphrase, that's from ssh-add). ssh-agent outputs
some environment variables that can be inherited by child processes, and
then you load in your key with ssh-add or ssh-askpass. all the child
processes that get spawned from the process that launched ssh-agent
inheret certain env variables that let them know how to communicate
with the agent, that then provides the key-based authentication for
connections. this process can further be forwarded onto another machine,
and the real beauty of it is that on the remote machine nothing is stored
other than a socket to talk back to the agent on the home machine.
for example, this is in my .xsession, and lets me ssh without a password
even though i have a passphrase on my key in any child process of my
xsession (xterms, et c.):
eval `ssh-agent`
ssh-add .ssh/id_dsa </dev/null
> running w/o a passphrase is still probably the most common
> way to perform automated tasks. that is, stuff from cron etc.
true. you can however limit what commands can be executed from
authorizing with a specific key. it'd be neat to see some way someone
could spawn off cron using ssh-agent, but it'd make boot-up require
someone be at the console.
> if the system is properly secured the chance of a key getting
> compromised is not that great.
that's no attitude to take towards security.
> on my more secure systems I lock them down to key logins only,
> so even if they have my root password or account password they
> have no opportunity to input them.
right, but if they're storing a passphraseless key on another machine
to which someone else has root, that someone else now has access to
your machine too. if that's your root key...
sean
msg27985/pgp00000.pgp
Description: PGP signature
