ssh/scp used keyless....more secure

Ken Moffat kmoffat
Sun Aug 28 16:54:15 PDT 2005 

Net Llama! wrote:

> On 08/28/2005 11:14 AM, Ken Moffat wrote:
>
>> Net Llama! wrote:
>>
>>> On 08/27/2005 11:10 AM, Dr. Scott S. Jones wrote:
>>>
>>>> Dear List:
>>>>
>>>> I use ssh and scp on a regular basis. I know I can create keys for
>>>> using
>>>> these more securely. And i am sure the topic has been raised and
>>>> discussed
>>>> before.
>>>> Could someone point me to a good understandabl resources on setting
>>>> up keys,
>>>> and the challenge/response mechanisms to allow me to ssh and scp to
>>>> home and
>>>> back from work, without sending my password open across the net.
>>>
>>>
>>>
>>> I don't kow of any resources, but setting this up is fairly simple.
>>>
>>> On your client side box, you can generate your ssh keys with the
>>> following command:
>>> ssh-keygen -t dsa
>>>
>>> just hit enter for the defaults to all the questions.  Once you're
>>> done, you'll have created two files inside ~/.ssh:
>>> id_dsa & id_dsa.pub
>>>
>>> On the server that you want to ssh/scp to without a password, you
>>> should have a ~/.ssh directory for your user as well.  Look in that
>>> directory.  If you don't already have an authorized_keys file, then
>>> all you need to do is scp ~/.ssh/id_dsa.pub from your local client box
>>> to the server and rename it ~/.ssh/authorized_keys .  At this point,
>>> you're done, and you should be able to ssh/scp to that server without
>>> passwords.
>>>
>>> If you already do have an ~/.ssh/authorized_keys on the server for
>>> your user, then you need to append your ~/.ssh/id_dsa.pub to the end
>>> of ~/.ssh/authorized_keys.  So scp ~/.ssh/id_dsa.pub to the server,
>>> and then this should do the trick:
>>> cat id_dsa.pub >> ~/.ssh/authorized_keys
>>>
>>> At this point, you're done, and you should be able to ssh/scp to that
>>> server without passwords.
>>>
>>>
>>
>> this is the method I use locally, but isn't there a security problem
>> with using ssh keys without passphrases?
>>
>
> Such as?  Forcing a passphrase when using ssh keys defeats the primary
> purpose of using them, namely, passwordless ssh access.
>
> I suppose if you're super paranoid, or the script kiddies really have
> it out for you, maybe you should switch to disabling password auth,
> disabling root ssh, and password based ssh keys.  But that is
> ridiculously overkill for more people.
>

Well, I've seen the usage of "ssh-agent" recommended, which allows
secure passwordless logins. I can't remember the exact setup.

-- 
ken

More information about the Linux-users mailing list