RE: Re: Passwordless ssh, "once and for all"...

From: Kim, Anthony (anthony.kim@vw.com)
Date: 12/12/02

Next message: Wilson, Richard E: "RE: OpenSSH protocol 2 won't use identity file"

Previous message: Mike Sowka: "WAS: Re: Passwordless ssh, "once and for all"..."
Maybe in reply to: Noah Salzman: "Re: Passwordless ssh, "once and for all"..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Kim, Anthony" <anthony.kim@vw.com>
To: 'Mike Sowka' <msowka@doe.carleton.ca>, secureshell@securityfocus.com
Date: Thu, 12 Dec 2002 14:09:09 -0600

Congrats!

Host based authentication sets up a condition of trust relationships
on a host level not on a user level. You set up a situation where
a compromised host has greater ability to take advantage of such
trust relationships.

Read ssh(8) again.

What I would do: use ssh-agent and turn on agent forwarding. I use
keychain[0] to manage ssh-agents when connecting from Unix clients.

On Windows clients, I use pagent[1] to manage my keys.

[0] http://www.gentoo.org/proj/en/keychain.xml
[1] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Hope this helps!

-----Original Message-----
From: Mike Sowka [mailto:msowka@doe.carleton.ca]
Sent: Thursday, December 12, 2002 1:51 PM
To: secureshell@securityfocus.com
Cc: anthony.kim@vw.com
Subject: WAS: Re: Passwordless ssh, "once and for all"...

Thank You for all your suggestion,
I finally got -->HostbasedAuthentication<-- (which is what I was really
looking for working... It involved some poorly documented details:
#1 HostbasedAuthentication yes in both ssh_config and sshd_config
#2 IgnorRhosts no in sshd_config

Anthony,
Given that this setup is installed on a completely separate subnet
(?security not an issue?:)?)... why do you suggest this is the wrong way
to go about passwordless login?

Again, Thanks,
Mike

-- 
Mike Sowka <msowka@doe.carleton.ca>
***********************************************************************
DISCLAIMER:  The information transmitted may contain confidential material
and is intended only for the person or entity to which it is addressed.  Any
review, retransmission, dissemination or other use of or taking of any
action by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient, please delete the
information from your system and contact the sender.
***********************************************************************

Next message: Wilson, Richard E: "RE: OpenSSH protocol 2 won't use identity file"
Previous message: Mike Sowka: "WAS: Re: Passwordless ssh, "once and for all"..."
Maybe in reply to: Noah Salzman: "Re: Passwordless ssh, "once and for all"..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]