ssh/scp used keyless....more secure

Net Llama! netllama
Sun Aug 28 13:52:29 PDT 2005 

On 08/28/2005 11:14 AM, Ken Moffat wrote:
> Net Llama! wrote:
> 
>> On 08/27/2005 11:10 AM, Dr. Scott S. Jones wrote:
>>
>>> Dear List:
>>>
>>> I use ssh and scp on a regular basis. I know I can create keys for using
>>> these more securely. And i am sure the topic has been raised and
>>> discussed
>>> before.
>>> Could someone point me to a good understandabl resources on setting
>>> up keys,
>>> and the challenge/response mechanisms to allow me to ssh and scp to
>>> home and
>>> back from work, without sending my password open across the net.
>>
>>
>> I don't kow of any resources, but setting this up is fairly simple.
>>
>> On your client side box, you can generate your ssh keys with the
>> following command:
>> ssh-keygen -t dsa
>>
>> just hit enter for the defaults to all the questions.  Once you're
>> done, you'll have created two files inside ~/.ssh:
>> id_dsa & id_dsa.pub
>>
>> On the server that you want to ssh/scp to without a password, you
>> should have a ~/.ssh directory for your user as well.  Look in that
>> directory.  If you don't already have an authorized_keys file, then
>> all you need to do is scp ~/.ssh/id_dsa.pub from your local client box
>> to the server and rename it ~/.ssh/authorized_keys .  At this point,
>> you're done, and you should be able to ssh/scp to that server without
>> passwords.
>>
>> If you already do have an ~/.ssh/authorized_keys on the server for
>> your user, then you need to append your ~/.ssh/id_dsa.pub to the end
>> of ~/.ssh/authorized_keys.  So scp ~/.ssh/id_dsa.pub to the server,
>> and then this should do the trick:
>> cat id_dsa.pub >> ~/.ssh/authorized_keys
>>
>> At this point, you're done, and you should be able to ssh/scp to that
>> server without passwords.
>>
>>
> 
> this is the method I use locally, but isn't there a security problem
> with using ssh keys without passphrases?
> 

Such as?  Forcing a passphrase when using ssh keys defeats the primary 
purpose of using them, namely, passwordless ssh access.

I suppose if you're super paranoid, or the script kiddies really have it 
out for you, maybe you should switch to disabling password auth, 
disabling root ssh, and password based ssh keys.  But that is 
ridiculously overkill for more people.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman                       	       netllama at linux-sxs.org
LlamaLand		 		http://netllama.linux-sxs.org

  12:15:01 up 13 days, 22:06,  1 user,  load average: 0.19, 0.18, 0.17

More information about the Linux-users mailing list