Re: Passing password in ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





2008/1/22 Mikkel L. Ellertson <mikkel@xxxxxxxxxxxxxxxx>:
Aldo Foot wrote:
>
> Well, the scenario I described actually happened years ago to someone I
> knew.
> If I create keys without a passphrase, and share the public keys between
> two systems (A and B), then from system A I can log to system B by
> simply saying "ssh user@B". This is very convenient for cron jobs.
>
> This is particularly risky when the systems are accessed by the general
> public.
> How does someone finds out the username? I don't know... company phonebook,
> online profiles listing first/lastname, etc.
>
You do know that you first have to get the private key of the key
pair, right? So you have to crack user@A's account, at least to the
point of getting the private key. Remember, the key will not work
unless it is only readable by the user. The .ssh directory also
needs to be set this way. So just being able to log into machine A
is not enough. You also need access to the private key.

You are correct. My worst nightmare does not include stealing the private
key. But simply cracking into a user's account who has access to several
systems containing the keys.

Worst scenario is when someone brakes into a system gains root access
and does "su - user" to such account and by looking into the .shosts tries
his luck to other systems.
 

But even having a pass phrase does not help if someone uses dumb
passwords. Things like first name as user name, and last name as
password. Then they use their full name as the pass phrase on the
key. Or is machine B lets you ssh in using username/password, and
you have a user like this. The key is to use the tools responsibly.

Bingo!  There lies my problem.

Perhaps a good practice is to configure accounts such as those for
cron jobs to use only specific commands.
Does anyone reading this thread uses such setup?
I'll play with this a bit.



Mikkel
--

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux