ssh encryption strength
Trevor Leffler
tleffler at u.washington.edu
Mon Feb 7 14:14:22 PST 2000
When I used to work on an X-terminal, I setup motif to be completely
encapsulated
by ssh-agent by putting something like "ssh-agent .xinitrc" in my
..xsession file.
My .xinitrc file defined session variables, loaded X apps, etc. In
fact, the first
"app" that loaded in X was a window that asked for the ssh passphrase.
I don't know
if this has any benefits over "ssh-agent bash" ... That's what I do too,
on my Linux
workstation 'cuz I haven't taken the time to see if I can "ssh-agent X"
yet.
--
Trevor Leffler, Software Developer
UWired/PETTT, University of Washington
Box 353080, (206) 616-3406 FAX: (206) 616-2873
Chris Hunter wrote:
>
> I use (and lateley depend on) ssh-agent and rsa keys daily in my current job.
> I've got about 5 shell accounts I connect to, and my linux workstation. I've
> copied my identidy.pub to all the hosts in the .ssh/authorized_keys file. So
> then I just fire up an rxvt term, run 'ssh-agent bash' then 'ssh-add', and enter
> the passphrase.
>
> Since ssh-agent exports itself to child processes, I can then run a script that
> starts 5 other rxvts and authenticates to each host. (beats logging into 5
> separate machines). Its a little kludgy to start, but I basically only have to
> enter a pass(phrase) once a day, and can log in and out of any of the machines
> by just typing 'ssh <hostname>' (aliased of course). And all X apps on the
> remote boxen run nicely on the local display via ssh forwarding.
>
> The other nice thing, is that if you're using RSA keys, you can disable password
> authentication altogether, so theres no chance of brute forcing a login from an
> untrusted host. If you don't have your public key on the remote box, you can't
> get in.
>
> I know ssh-agent also works nicely with screen, since it exports to new virtual
> terminals, but I'm not positive on the security concerns of a detatched
> authenticated session.
>
> As far as having a blank passphrase, thats probably a really bad idea, scripting
> ease aside. If your private key gets comprimised, you've given up all its
> trusted hosts, and I think thats more important that a little automation. I
> would make it a nice healthy sentance.
>
> Chris Hunter
>
> On Mon, 7 Feb 2000, William Kreuter wrote:
>
> > Trevor> The additional security isn't an effect upon any secure
> > Trevor> connections that you make, rather, it is a password for
> > Trevor> using your private ssh key. Let's say that you can access
> > Trevor> 15 trusted hosts/accounts from your single account.
> > Trevor> That's a hacker's goldmine, especially if they get a copy
> > Trevor> of your private key without your knowledge. SSH is nice
> > Trevor> because it's essentially passwordless, but I always like
> > Trevor> to use that one... and you only need it once per session.
> >
> > See Mike Hornung's followup explanation. Thanks to everyone who's
> > explained that the passphrase is essentially a password for using the
> > private key. That makes sense. However, it's true, as I originally
> > noted, that a passphrase must not be set if ssh is used in any kind of
> > batch environment such as crontab, or if it's to be a drop-in
> > replacement for imap in Pine. Once per session in those scenarios is
> > once too many; there's no practical way to supply the passphrase.
> >
> > William Kreuter, Senior Computer Specialist, University of Washington
> > Ctr. for Cost & Outcomes Research, 146 N. Canal St. #300, Seattle, WA 98103
> > billyk at u.washington.edu http://staff.washington.edu/billyk/
> > voice or voice mail: 206-543-5007 fax: 206-543-5318 mailstop: 358853
> >
> >
> >
More information about the Linux
mailing list