Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Jun 2005 20:07:09 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        freebsd-questions@freebsd.org
Subject:   Re: can't figure out ssh, read lots of docs...
Message-ID:  <20050602170709.GA3507@orion.daedalusnetworks.priv>
In-Reply-To: <000101c56794$ab00e330$144da8c0@rtxnetworks.local>
References:  <20050602161621.GB2778@orion.daedalusnetworks.priv> <000101c56794$ab00e330$144da8c0@rtxnetworks.local>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-06-02 18:01, Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> wrote:
>Giorgos Keramidas <keramida@ceid.upatras.gr> writes:
>>On 2005-06-02 10:38, Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> wrote:
>>> The original poster wanted to do automated backups via scp.  This
>>> kind of application *requires* empty passphrases
>>
>> Nope.  scp works fine with a pass-phrase too, if one uses ssh-agent
>> properly, regardless of the remote user being root or not.
>
> You're recommending leaving an ssh-agent instance running unattended
> instead of having a passphrase-less key?

Not really.  In fact, this was exactly what I said is a "bad idea" in a
previous post.

> That just means you have to protect the agent's socket as carefully as
> you would have to protect the unencrypted key file.

For only as long as the agent process is alive.  Which is usually a lot
less than "forever" -- the time for which an unencrypted key which also
exists in authorized_keys works.

> You are right: there *are* ways to give access to the key other than
> empty passphrases.  The only real disadvantage of the agent approach
> is that the key becomes inaccessible when the system reboots.

Exactly (or when I issue `pkill ssh-agent').




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050602170709.GA3507>