rsync/ssh passwords

John Abreau jabr at blu.org
Tue Mar 30 14:17:15 EST 2004


On Sun, 2004-03-28 at 17:47, John Chambers wrote:

> Yeah; I did that a few years ago, and I can see them sitting there in
> my .ssh directory. Their access time gets updated when I use ssh. But
> I'm still asways asked for passwords, sometimes  for  the  near  end;
> sometimes for the far end.  If I don't respond in time, the operation
> times out, and my script goes on to the next host.
> 
> It is supposed to work differently than this? It doesn't seem wise to
> let  the  operation  proceed without demanding a password, since that
> would mean that anyone who walked up to my  machine  while  I'm  away
> could pass as me.

There are two key parts involved: the secret key and the public key. 
ssh-agent stores the decrypted secret key in memory, and prints a 
three-line script to set a couple env variables. The ssh client, 
if it has source'd that script, can then get to the decrypted secret 
key. 

When the client tries to connect to the remote server, the remote 
server needs to have the corresponding public key in the file 
~/.ssh/authorized_keys. Also, if the ~/.ssh directory or the files 
in it have insecure permissions, they'll be ignored. I set my ~/.ssh 
to 0700 and the files within to 0600, on both ends. 

Also, in /etc/ssh/sshd_config on the server, the setting for the 
"PubkeyAuthentication" option must be "yes". I believe this is the 
default now, but I recall having to explicitly set it years ago, 
so it's probably worth checking it on your servers just to be sure. 

-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://lists.blu.org/pipermail/discuss/attachments/20040330/e8e9c0c3/attachment.sig>


More information about the Discuss mailing list