Date: Thu, 25 Mar 1999 12:06:15 -0800 (PST) From: dima@best.net (Dima Ruban) To: dillon@apollo.backplane.com (Matthew Dillon) Cc: miket@dnai.com, gaskell@isrc.qut.edu.au, freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <199903252006.MAA22667@burka.rdy.com> In-Reply-To: <199903251828.KAA00857@apollo.backplane.com> from Matthew Dillon at "Mar 25, 1999 10:28:50 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Dillon writes: > :Matthew, > : > :Another quick question. Under the configuration described below > :can one system issue an ssh command from a script to another system > :without having to include a password? We have automated scripts > :that will run nightly that will run on one server and execute commands > :on other servers using ssh. Suppling such a password to the > :Kerberos kinit application before using ssh in such a script will be > :problematic. I assume this is why you mentioned your use of the No, it won't be. You can always use host key in cases like that rather than user keys. > :"authorized_keys" files for limited purposes? Any other suggestions? > : > :Mike Thompson > > You can always use ssh's authorized_keys mechanism, in which a user ( or > root ) on one machine gives root on another machine access via a keypair. > Typically, in order for this to work from cron, you cannot put a password > on the private key, so the administrative machine from which the ssh is > issued must be secure. > > People sometimes forget that in a typical setup, if someone steals the > private key from machine A for which machine B has entered the public > key in its authorized_keys file, that person can use it to ssh to > machine B from anywhere. With ssh, you have to use the > 'from="fulldomainname"' option *IN* the authorized_keys file to ensure > that the key authenticates *AND* that it is coming from a specific client. > e.g. > > # authorized_keys file > # > from="apollo.backplane.com" 1024 37 8123412340... > > -Matt > Matthew Dillon > <dillon@backplane.com> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903252006.MAA22667>