From owner-freebsd-questions@FreeBSD.ORG Thu Jun 2 20:20:01 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 125B216A41C for ; Thu, 2 Jun 2005 20:20:01 +0000 (GMT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from mail23.sea5.speakeasy.net (mail23.sea5.speakeasy.net [69.17.117.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD17443D4C for ; Thu, 2 Jun 2005 20:20:00 +0000 (GMT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 25267 invoked from network); 2 Jun 2005 20:20:00 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail23.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 2 Jun 2005 20:20:00 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 4A12330; Thu, 2 Jun 2005 16:19:59 -0400 (EDT) Sender: lowell@be-well.ilk.org To: freebsd-questions@freebsd.org References: <20050602161621.GB2778@orion.daedalusnetworks.priv> <000101c56794$ab00e330$144da8c0@rtxnetworks.local> <20050602170709.GA3507@orion.daedalusnetworks.priv> From: Lowell Gilbert Date: 02 Jun 2005 16:19:59 -0400 In-Reply-To: <20050602170709.GA3507@orion.daedalusnetworks.priv> Message-ID: <44k6lc4ikw.fsf@be-well.ilk.org> Lines: 37 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: can't figure out ssh, read lots of docs... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2005 20:20:01 -0000 Giorgos Keramidas writes: > On 2005-06-02 18:01, Lowell Gilbert wrote: > >Giorgos Keramidas writes: > >>On 2005-06-02 10:38, Lowell Gilbert wrote: > >>> The original poster wanted to do automated backups via scp. This > >>> kind of application *requires* empty passphrases > >> > >> Nope. scp works fine with a pass-phrase too, if one uses ssh-agent > >> properly, regardless of the remote user being root or not. > > > > You're recommending leaving an ssh-agent instance running unattended > > instead of having a passphrase-less key? > > Not really. In fact, this was exactly what I said is a "bad idea" in a > previous post. Okay, so how *do* you apply the agent approach to automated operation? The "automated" process only works when the operator is present? > > That just means you have to protect the agent's socket as carefully as > > you would have to protect the unencrypted key file. > > For only as long as the agent process is alive. Which is usually a lot > less than "forever" -- the time for which an unencrypted key which also > exists in authorized_keys works. > > > You are right: there *are* ways to give access to the key other than > > empty passphrases. The only real disadvantage of the agent approach > > is that the key becomes inaccessible when the system reboots. > > Exactly (or when I issue `pkill ssh-agent'). That can be a *huge* disadvantage. For my home network, I'm willing to have operator intervention required to do a backup. But I wouldn't recommend that approach for a commercial operation.