Re: SSH Passphrase

From: David M. Fetter (
Date: 03/06/03

  • Next message: Mark Reardon: "RE: Any good method to check network overload?"
    Date: Wed, 05 Mar 2003 17:43:50 -0800
    From: "David M. Fetter" <>
    To: Stefan Lesicnik <>

    The private/public key encryption works like this. You generate a set
    of keys one private and one public. The public one then can be placed
    into the .ssh/authorized_keys file on remote servers. The
    authentication is based on the public key matching up with your private
    key, which only you should have. The private key should not exist any
    where else or ever be shared. Then if the authentication passes, the
    session connection is allowed and all of the traffic is encryption.

    The default ssh configuration may not necessarily be 100% secure if
    you're using keys with no passphrase. However, it is possible to make
    the configuration more secure in a variety of ways. This includes
    things like using tcp wrappers to restrict which specific hosts or
    networks are allowed to connect, specifying strict host key checking,
    specifying users who are allowed to connect, potentially disabling
    password authentication, etc. So, if security is of concern by those
    you are connecting to then they can take these extra precautions.

    The way you describe using ssh key authentication is quite common
    though. The only negative aspect is that if somebody should get access
    to your account and know what server(s) the you connect to using the
    keys then they have free roam because there is no passphrase. If you
    are really concerned with this there are other ways you can script the
    non-interaction using the ssh key authentication. There is a way
    outlined in O-reilley's blue Secure Shell book how you can use ssh-agent
    in a non-interactive way. You could use expect as another option. If
    your script is in perl then you can use the and I believe
    there is another module that will allow you to even encrypt the
    passphrase/password on the local system so that it's not shown in plain
    text should someone simply read the script itself. So, there are a
    variety of ways to do this in a more secure manner should you choose to
    go that route.

    Stefan Lesicnik wrote:
    > Hi,
    > Im fairly new to private and public key encryption, so dont quite
    > understand all the concepts.
    > I have the need to scp a file to a remote server without specifying the
    > password as it is done from a non-interactive script.
    > I have accomplished this by generating a dsa key without a passphrase.
    > Although this works I am worried about the security concerns of doing
    > this? (Without a passphrase, how does it authenticate? Based on the
    > machines dsa key which was made from machine specific entropy?)
    > I know of programs such as ssh-agent, but these require you to enter a
    > passphrase at the beginning of the session which it then remembers, this
    > isnt possible as it is non-interactive in my case. Does anyone have any
    > ideas or comments?
    > TIA
    > Stefan Lesicnik

    David M. Fetter -
    "The world is full of power and energy and a person can go far by just 
    skimming off a tiny bit of it." Neal Stephenson - Snow Crash

  • Next message: Mark Reardon: "RE: Any good method to check network overload?"