Re: ssh/keychain dilemma

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 21 May 2008, David Rosenstrauch wrote:

> I've been using ssh with a cron job to do backups for quite a while
> now.  But I'm realizing that the way I've been doing it (i.e.,
> having the cron job ssh in using a key without a passphrase) is
> rather insecure.  So I've been looking into ways to make the setup
> more secure by integrating a passphrase into the mix.

If the goal is to allow your cron job to be able to login, then there
is absolutely no point in "integrating a passphrase into the mix".
Simply make you keyfile non-readable by non-intended uids.

Think about you threat model: if you fear that somebody can gain root
access to your server and read your keyfile, then they can as well get
the key and cached passphrase (or something equivalent to it) and thus
you do not gain any security. In other words, if you cannot imagine
any reasonable scenario where keyfile with cached passphrase prevent
an attack, then don't bother to use a passphrase.

-- 
Regards,
ASK

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux