Hi,
Am 20.02.2010 um 00:11 schrieb Eugene Loh:
Okay, yes, setting SSH_AUTH_SOCK is the right thing to do, but this
strikes me as clumsy. I'm trying to understand how things should
be set up so that I don't have to take special action each time I
log in. Do I do some .login/.logout magic?
Or, why not just go without a DSA passphrase? The passphrase only
protects me from root, before whom I am rather powerless anyhow.
you mean, that root could use your ssh-key? When you are having an
agent running, root can hijack the created socket in /tmp. A good
explanation you can find here:
http://unixwiz.net/techtips/ssh-agent-forwarding.html
KDE and Gnome start the agent automatically, once you use ssh-add
(sometimes the graphical ssh-askpass is missing and must be
installed). I have somewhere a small script to recover a saved agent
configuration once it was started even for non-graphical based
sessions. I'll post it later.
But there is more to dicuss. Some even suggest to encrypt the ~/.ssh/
know_hosts file, so that noone would know where you used to log in
once he intruded your account. But most likely it's in the bash
history anyway, so there would be a HOSTIGNORE="ssh*:scp*" necessary
in bash. And as a next step, any convenient setting in ~/.ssh/config
can't be used to abbreviate the logins... But it's good to use
passphrase anyway, although it can be cracked locally by an attempt
to change it with `ssh-keygen -y` - no delay by failed login attempt,
so it could be really fast...
I also suggest to follow the complete thread starting with:
http://ftp.beowulf.org/archive/2009-September/026424.html
from
http://ftp.beowulf.org/archive/2009-September/thread.html
which ended in using hostbased authentication inside a cluster.
Also, the OMPI FAQ says authorized_keys should have 644
protection. Out on the web, it appears people advise 600, which
doesn't make sense to me since it just has public keys in it
anyhow. (My head is starting to spin.)
Correct, 644 is fine.
-- Reuti
Kenneth Yoshimoto wrote:
After you start up ssh-agent once, check env for SSH_AUTH_SOCK
If you start a new session and the old ssh-agent is still running,
try setting SSH_AUTH_SOCK.
I think there are more refined utilities out there to handle this
situation...
On Fri, 19 Feb 2010, Eugene Loh wrote:
Date: Fri, 19 Feb 2010 13:19:13 -0800
From: Eugene Loh <eugene....@sun.com>
Reply-To: Open MPI Users <us...@open-mpi.org>
To: Open MPI Users <us...@open-mpi.org>
Subject: [OMPI users] password-less ssh
This is with regards to http://www.open-mpi.org/faq/?
category=rsh#ssh-keys
It says to check if you have an ssh-agent running. How are you
supposed to do that? I've tried "ps -u myusername | grep ssh-
agent", but didn't know if that's the proper thing to do.
Also, it appears that I do *NOT* have an ssh-agent running
automatically for me. How often do I have to start one up? It
appears that if I start one up and log out and then log back in
again, the old ssh-agent is still there but not usable. I have
to start up a new one. So, do I have to start an ssh-agent each
time I log in?
Or, I could use no DSA passphrase, but that seems to be frowned
upon.
_______________________________________________
users mailing list
us...@open-mpi.org
http://www.open-mpi.org/mailman/listinfo.cgi/users
