On 14/02/06, Barry Brimer <barry.brimer@xxxxxxxxxxx> wrote: > > > Right now I use passwords for some ssh connections, and passwordless ssh > > for crontab rsyncs, using passwordless rsa keys. (When it asked to enter > > a password for ssh-keygen I just hit enter). Does this leave me > > vulnerable? Is there a how-to on this that explains how to use ssh-agent > > with keys with passes? > > I recommend Keychain <http://www.gentoo.org/proj/en/keychain/>. With > keychain, you can log in and unlock your keys and allow your ssh > communications to use them as needed. You do have to unlock them after > each reboot. As Barry says, Keychain is very useful, especially for situations where you want a script to connect to another system unattended but want to avoid passwordless keys. There were some decent how-tos on IBM Developerworks ages ago... http://www.ibm.com/developerworks/library/l-keyc.html http://www.ibm.com/developerworks/library/l-keyc2/ http://www.ibm.com/developerworks/linux/library/l-keyc3/?Opent=grl,l=929,p=Kp3 I believe some of the options Keychain accepts have have changed since the article was written but it's still useful. I have SSHd setup similarly to... <---------------------------------------------------------------------> Port 2220 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key SyslogFacility AUTHPRIV StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes PasswordAuthentication no X11Forwarding yes <---------------------------------------------------------------------> In scripts which require the facility to connect "passwordlessly" to other hosts generate a new keypair with a strong password for the user the script will run as. In one of the user's initialisation scripts (.bashrc/.bash_profile) add the following... keychain --clear --nogui id_rsa And then in the script itself source the keychain agent authentication details... [[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh Anyone logging into the system as the user will need to enter the password for the keypair to see/use the ssh-agent authentication information but scripts will be able to use it without intervention. Will.