Re: Problems with scp and cron

From: Simon Tatham (anakin_at_pobox.com)
Date: 10/21/04

• Next message: Michael Surette: "Putty executing command supplied by remote server"
• Previous message: Darren Dunham: "Re: Problems with scp and cron"
• In reply to: Darren Dunham: "Re: Problems with scp and cron"
• Next in thread: Nico Kadel-Garcia: "Re: Problems with scp and cron"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 21 Oct 2004 17:34:36 +0100 (BST)

Darren Dunham <ddunham@redwood.taos.com> wrote:
> Surely that depends on having the settings actually there. I often use
> passphraseless keys for automated jobs on machines. They must run even
> if the machine has rebooted and I haven't logged into the box to type a
> passphrase.

Quite so. Messing around with long-running ssh-agents just doesn't
seem worth it for the trivial security improvement of being safe
against someone stealing the machine; for a colocated machine that
isn't the likely threat compared to network-based attacks. And a
network-based attack gaining access to your account could read
decrypted keys out of ssh-agent without much more difficulty than it
could read unencrypted ones off disk.

To make my automated jobs secure, I give each one a dedicated SSH
key which is heavily restricted at the server end. So if, say,
somebody compromises the account which updates a particular set of
files in another machine's web space, they _only_ get the ability to
update that particular set of files, and don't get full access to my
account on the other machine. (Unless, of course, the script I run
at the far end has a security hole in it. But that's a risk you take
no matter what you do.)

-- 
Simon Tatham         "Imagine what the world would be like if
<anakin@pobox.com>    there were no hypothetical situations..."

• Next message: Michael Surette: "Putty executing command supplied by remote server"
• Previous message: Darren Dunham: "Re: Problems with scp and cron"
• In reply to: Darren Dunham: "Re: Problems with scp and cron"
• Next in thread: Nico Kadel-Garcia: "Re: Problems with scp and cron"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Freeze.Panes revisited ... account with your business name on it. ... She then deposits whatever she wants ... you have to personally initial their time sheets for every "in" ... > not had time to make copies of the keys for them yet. ... (sci.med.dentistry) RE: Is SSH worth it?? ... > Subject: RES: Is SSH worth it?? ... user account, I don't see where they would. ... how is having the text of your password stored in the Expect script ... better than having keys? ... (Security-Basics) Re: win2003 File Server in a Workgroup -- User Access ... Run gpedit.msc again and take a look at the following keys: ... Also check the permissions that you set on your shared folders (give ... you can try using the guest account. ... a Win2003 File server SP1, ... (microsoft.public.windows.server.networking) Re: X.509 and ssh ... host keys in host's ldap record. ... the financial infrastructure for all retail payment transactions) was ... and the signing entity having a public key on file ... transactions is skimming the account number and using it in fraudulent ... (comp.security.ssh) Re: cant install a new I.E ... >> removing the problem account, and checking the runonce keys? ... > As far as checking the renounce keys.. ... (microsoft.public.windows.inetexplorer.ie6.browser)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint