[KLUG Members] ssh-keygen

bert klug at obbink.eu
Tue Mar 13 05:16:22 EST 2007
Previous message: [KLUG Members] ssh-keygen
Next message: [KLUG Members] ssh-keygen
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thanks guys for all the explanations.

I want to use the ssh-keys to scp some files to an other server. Because process runs via the crontab, I can't provide a passfrase.
I use scp with the -i option to provide the key and -l to provide a non-root username.
The keys go into an root only accessable directory. (The cron runs as root.)
If there are better, more secure, ways to do this I would like to know about them.
My misunderstanding was that I thought that the passfrase could be used to bypass the ssh-key in some way, a sort of bypassfrase so to speak.

Kind regards,

Bert.


ps, Bill, you wrote your gpg key at the end of your message. I once created a gpg key (without a passfrase) and loaded that up to a keyserver. I guess it's better to use a passfrase on this too.





bill schreef:
> Hello,
> 
> On Mon, 2007-03-12 at 13:21, bert wrote:
>> Hi all,
>>
>> When generating a ssh key with ssh-keygen I always use -t DSA.
>> On the question to enter a passphrase, I always just press entre twice 
>> (no passfrase).
> 
> Sure.  Then you copy the public key to the remote system and when you
> log in to that system you won't need to use a passphrase.  
> 
> It's simpler than using a password and someone has to have the key (a
> special file) to log in.
> 
> Usually, you limit the SSH logins to only accept logins that use a key
> so name-and-password SSH logins aren't allowed.
> 
>> After reading the howto I am not sure anymore if this the most secure choise.
> 
> No, it is not the most secure choice.
> 
>> The howto explains that this passphrase will be used to encrypt the private 
>> part of this file using 3DES.
>> Is this good or bad? So should I enter a passfrase or better not?
> 
> SSH is a way to log in to another computer to do things there.  SSH
> means I can work on a remote computer as if I was at the keyboard over
> there.  I'm typing on the Client computer, my commands are run on the
> Server computer.
> 
> SSH Session:
> 
>   (I'm typing on the) Client ---> (my typing is acting on the) Server
> 
> We used to log in to other computers with Telnet, giving our name and
> password.  But, Telnet transmitted our name and password to the Server
> in the clear, making them vulnerable to someone "listening in."
> 
> SSH encrypts the transmissions so people can't steal information by
> "listening in."  But, there are other ways to steal passwords (like
> reading the post-it note on the underside of the keyboard!).
> 
> There are three general ways to do SSH: name & pw, passwordless keys,
> and keys with passwords.  You are talking about the last two.
> 
> There are other ways to do SSH, but they don't apply to your question.
> 
> --------------------
> 
> The first way is the most basic: Name and password.  I run SSH, calling
> up the remote computer and it asks for my name and password.  If I give
> correct answers, I get to log in as that user and away I go.
> 
> First, have an account on the Server
> Client runs SSH and calls Server
> 	Server says "What is your name and password"
> 	I give the name and password.  
> 	If correct, I'm logged in and begin my SSH session.
> 
> The second way is more advanced, but simpler: passwordless keys.  I run
> SSH, calling up the remote computer and giving my name.  The Server
> looks up my account and sees my public key.  The server asks for the
> matching private key, which is on the client.  The client automatically
> provides it, and if the keys correspond, I get to log in as that user
> and away I go.
> 
> First, have an account on the Server with your public key installed
> Client runs SSH and calls Server, giving name
> 	Server looks up account, 
> 		sees public key, asks Client for private key
> 	Client provides private key (happens automatically)
> 	If the keys correspond, I'm logged in and begin my SSH session.
> 
> 
> --------------------
> 
> The third way is more secure: keys with password.  I run SSH, calling up
> the remote computer and giving my name.  The Server looks up my account
> and sees my public key.  The server asks for the matching private key,
> which is on the client.  The client DOESN'T AUTOMATICALLY PROVIDE THE
> PRIVATE KEY, BUT ASKS ME FOR THE PASSWORD TO USE IT.  IF THE KEY
> PASSWORD IS CORRECT IT FORWARDS THE KEY TO THE SERVER, if the keys
> correspond, I get to log in as that user and away I go.
> 	
> First, have an account on the Server with your public key installed
> Client runs SSH and calls Server, giving name
> 	Server looks up account, 
> 		sees public key, asks Client for private key
> 	Client finds private key
> 		Asks me for password to use it
> 		If password is correct, forwards key to Server
> 	If the keys correspond, I'm logged in and begin my SSH session
> 
> --------------------
> 
> So there are three increasing levels of security here.
> 
> I can log in by using a name and password.
> 	But, what if someone steals my name & password?  		They can log in as
> me!
> 
> I can log in by using a passwordless key.
> 	But, what if someone steals my private key?  
> 		They can log in as me!
> 
> I can by using a key with a password.
> 	But what if someone steals my key and my password for that key?  		They
> can log in as me!
> 
> So, you can see that the three levels give increasing security by making
> it more difficult for someone to steal your identity and log in as you.
> 
> kind regards,
> 
> bill
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
>
Previous message: [KLUG Members] ssh-keygen
Next message: [KLUG Members] ssh-keygen
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Members mailing list