Re: [tlug] Auto fill password in shell script?

[Raymond Wan <rwan.kyoto@example.com>]

On Tue, Feb 1, 2011 at 9:38 PM, Stephen J. Turnbull <stephen@example.com> wrote:
> Dave M G writes:
>
>  > I tried to see if I could get my main web hosting service to set up a
>  > key pair so I could log in via SSH without a password, like I do on my LAN.
>  >
>  > But no, they have set their system up to not allow that. Can't say I
>  > blame them. I can see how that might be a security risk.
>
> Sure, but (a) Unix passwords are generally weaker than SSH key pass
> phrases, and (b) you're in even more trouble with expect, since the
> passwork will appear in the clear in the script.  It doesn't matter
> how you slice it, it's at least as easy to break security of password
> logins as it is with automated agent + private key logins.  (At least,
> that's what the books I read years ago say; conventional wisdom may
> have changed since then.)


Actually, I can think of a couple of reasons why a web hosting service
would do this...perhaps none of them plausible.  :-)

I think Unix systems have password-only ssh enabled by default.  To
allow ssh keys entry, they have to change a few lines in their
configuration.  I guess they can't be bothered to do that.  Or that
it's for only premium-level users who are paying more.  ;-)

Another possibility is that the reasons for using ssh key assumes some
kind of brute force attack.  However, if one of the computers set up
for this is a laptop and the laptop is removed from the office and
then stolen, then no brute force attack is needed anymore.  At least
with passwords, they're stored in our heads so it's more secure (in
the absence of the "expect" program :-) ).  Probably one of their
customers had their laptop stolen and can't log in because they forgot
their password and the web host thought closing this "loophole" would
be the solution.

...or maybe this decision is made by the web host management and not
any of their system administrators...

Ray