Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Making my LAN a passwordless zone
- Date: Fri, 10 Jul 2009 07:54:54 +0100
- From: Doug McLean <dmclean635@example.com>
- Subject: Re: [tlug] Making my LAN a passwordless zone
- References: <4A55DA40.2060202@example.com> <f118b8b90907090519w323e933esd3549bad11a88af@example.com> <1247134003.3591.4.camel@example.com> <654B4C51-23BA-4C3B-9BB0-3986A95FFC61@example.com> <87zlbdku0s.fsf@example.com>
On Fri, Jul 10, 2009 at 6:05 AM, Stephen J. Turnbull<stephen@example.com> wrote: > Keith Bawden writes: > > On 2009/07/09, at 19:06, Phillip Tribble > > <ptribble@example.com> wrote: > > > > > > When you do ssh-copy-id, make sure that you do it like this: > > > > > > ssh-keygen -i ~/.ssh/id_rsa.pub root@example.com > > > > Not sure if that is such a great idea. As root ? > > There are other issues there, like the command syntax is wrong. > ssh-keygen has no non-option arguments. It's optimized for > interactive use, and prompts for all optional arguments. (I got that > wrong, too; what I should have written for generating the key is > > ssh-keygen -t rsa -f ~/.ssh/id_rsa > > of course.) > > I also don't understand the purpose of the "-i" flag here. ISTM we > know that the key files are in OpenSSH format, but that flag's only > useful for *importing* non-OpenSSH keys. It might make sense if you > were exporting the keys to a non-OpenSSH machine (say a Windows box), > but then the option you want is "-e". Exactly. I'm always a little leery of root SSH keys, especially if passwordless. For that reason, for a small environment it's nice to utilize 'ssh-agent' then 'ssh-add' because it unlocks the key ahead of time, so you only have to use the passphrase once, but you can make SSH connections as much as you like. A cursory Google search revealed a nice page both on generating SSH keys (essentially the same steps as outlined by Mr. Bawden), plus how to script ssh-agent to run from the shell profile script at login time. But this setup is still not entirely automated, so if you need something totally automated, then it's probably ok to setup some kind of system account that both systems have (with restricted privileges, shell, etc), generate password-less keys as Mr. Bawden outlined, and then provide a means to escalate privileges to the system account. In other words, only just enough privileges to carry out its task. Sudo can help facilitate this. This might be overkill for a tiny home environment, but good practice for a similiar setup in corporate environment. Good luck! -- Doug McLean Blog: http://nihonshukyo.wordpress.com/
- Follow-Ups:
- Re: [tlug] Making my LAN a passwordless zone
- From: Doug McLean
- Re: [tlug] Making my LAN a passwordless zone
- References:
- [tlug] Making my LAN a passwordless zone
- From: Dave M G
- Re: [tlug] Making my LAN a passwordless zone
- From: Keith Bawden
- Re: [tlug] Making my LAN a passwordless zone
- From: Phillip Tribble
- Re: [tlug] Making my LAN a passwordless zone
- From: Keith Bawden
- Re: [tlug] Making my LAN a passwordless zone
- From: Stephen J. Turnbull
- [tlug] Making my LAN a passwordless zone
- Prev by Date: Re: [tlug] Making my LAN a passwordless zone
- Next by Date: Re: [tlug] Making my LAN a passwordless zone
- Previous by thread: Re: [tlug] Making my LAN a passwordless zone
- Next by thread: Re: [tlug] Making my LAN a passwordless zone
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |