Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Making my LAN a passwordless zone



On Fri, Jul 10, 2009 at 7:54 AM, Doug McLean<dmclean635@example.com> wrote:
> On Fri, Jul 10, 2009 at 6:05 AM, Stephen J. Turnbull<stephen@example.com> wrote:
>> Keith Bawden writes:
>>  > On 2009/07/09, at 19:06, Phillip Tribble
>>  > <ptribble@example.com> wrote:
>>  > >
>>  > > When you do ssh-copy-id, make sure that you do it like this:
>>  > >
>>  > > ssh-keygen -i ~/.ssh/id_rsa.pub root@example.com
>>  >
>>  > Not sure if that is such a great idea. As root ?
>>
>> There are other issues there, like the command syntax is wrong.
>> ssh-keygen has no non-option arguments.  It's optimized for
>> interactive use, and prompts for all optional arguments.  (I got that
>> wrong, too; what I should have written for generating the key is
>>
>>    ssh-keygen -t rsa -f ~/.ssh/id_rsa
>>
>> of course.)
>>
>> I also don't understand the purpose of the "-i" flag here.  ISTM we
>> know that the key files are in OpenSSH format, but that flag's only
>> useful for *importing* non-OpenSSH keys.  It might make sense if you
>> were exporting the keys to a non-OpenSSH machine (say a Windows box),
>> but then the option you want is "-e".
>
> Exactly.  I'm always a little leery of root SSH keys, especially if
> passwordless.  For that reason, for a small environment it's nice to
> utilize 'ssh-agent' then 'ssh-add' because it unlocks the key ahead of
> time, so you only have to use the passphrase once, but you can make
> SSH connections as much as you like.
>
> A cursory Google search revealed a nice page both on generating SSH
> keys (essentially the same steps as outlined by Mr. Bawden), plus how
> to script ssh-agent to run from the shell profile script at login
> time.
>
> But this setup is still not entirely automated, so if you need
> something totally automated, then it's probably ok to setup some kind
> of system account that both systems have (with restricted privileges,
> shell, etc), generate password-less keys as Mr. Bawden outlined, and
> then provide a means to escalate privileges to the system account.  In
> other words, only just enough privileges to carry out its task.  Sudo
> can help facilitate this.
>
> This might be overkill for a tiny home environment, but good practice
> for a similiar setup in corporate environment.
>
> Good luck!
>
> --
> Doug McLean
>
> Blog: http://nihonshukyo.wordpress.com/
>

Almost forget to suggest.  When you do setup your keys, scripts and so
on, it's a good idea to use a minimalist ssh command to prevent abuse
by other folks.

Something like:

ssh -2 -x (destination)

Does a couple things.  SSHv2 is more secure than SSHv1 due to
improvements in its redundancy checks among other things.  The -x
turns off interactive X (unless you need it).  In addition, you can
configure SSH further to disable interactive shell if all you're doing
is just passing files.  If you do want interactive shell action, you'd
probably want to skip that feature.

Again, best of luck.

-- 
Doug "Remembering to write below the quote ;)" McLean

Blog: http://nihonshukyo.wordpress.com/


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links