Re: host authentication or ssh-agent - what's more secure?
From: Neil W Rickert (rickert+nn@cs.niu.edu)
Date: 04/24/03
- Previous message: TJ: "ssh port forward connection refused"
- In reply to: Bright: "host authentication or ssh-agent - what's more secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Neil W Rickert <rickert+nn@cs.niu.edu> Date: 24 Apr 2003 18:23:07 GMT
brightwell_151@yahoo.co.uk (Bright) writes:
>I'm looking for feedback on which is the better method for securing
>access to unix systems while at the same time not making it too
>uncomfortable for people to switch between servers.
I don't think there is an easy answer. It depends on what you are
trying to achieve.
Here are my current practices.
I use hostbased from my main trusted servers.
I use ssh-agent for most other authentication.
Rationale --
If someone breaks into the trusted server, they can create
a new root user in NIS+, and gain access to other systems
anyway.
Running ssh-agent has its own risks -- if an intruder has access
to the ssh-agent socket, they can "borrow" its authentication
privileges.
-------
I run ssh-agent only on my desktop client machine, with very
restricted access to that machine. By default, agent forwarding
is turned off. If I am absent from the machine for a lengthy
period, I delete the keys from agent (for safety).
If I need password-less access for copying between machines, where
it is not initiated from my ssh-agent desktop, nor from a trusted
server, then I open an ssh session
ssh -A
to do agent forwarding for the duration of that session. I do the
copy, then close that session. That way agent forwarding is never
done long-term.
- Previous message: TJ: "ssh port forward connection refused"
- In reply to: Bright: "host authentication or ssh-agent - what's more secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
