Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Mar 1999 12:06:15 -0800 (PST)
From:      dima@best.net (Dima Ruban)
To:        dillon@apollo.backplane.com (Matthew Dillon)
Cc:        miket@dnai.com, gaskell@isrc.qut.edu.au, freebsd-security@FreeBSD.ORG
Subject:   Re: Kerberos vs SSH
Message-ID:  <199903252006.MAA22667@burka.rdy.com>
In-Reply-To: <199903251828.KAA00857@apollo.backplane.com> from Matthew Dillon at "Mar 25, 1999 10:28:50 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
Matthew Dillon writes:
> :Matthew,
> :
> :Another quick question.  Under the configuration described below 
> :can one system issue an ssh command from a script to another system
> :without having to include a password?  We have automated scripts
> :that will run nightly that will run on one server and execute commands
> :on other servers using ssh.  Suppling such a password to the 
> :Kerberos kinit application before using ssh in such a script will be 
> :problematic. I assume this is why you mentioned your use of the 

No, it won't be. You can always use host key in cases like that rather
than user keys.

> :"authorized_keys" files for limited purposes?  Any other suggestions?
> :
> :Mike Thompson
> 
>     You can always use ssh's authorized_keys mechanism, in which a user ( or
>     root ) on one machine gives root on another machine access via a keypair. 
>     Typically, in order for this to work from cron, you cannot put a password
>     on the private key, so the administrative machine from which the ssh is
>     issued must be secure.
> 
>     People sometimes forget that in a typical setup, if someone steals the
>     private key from machine A for which machine B has entered the public
>     key in its authorized_keys file, that person can use it to ssh to 
>     machine B from anywhere.  With ssh, you have to use the
>     'from="fulldomainname"' option *IN* the authorized_keys file to ensure 
>     that the key authenticates *AND* that it is coming from a specific client.
>     e.g.
> 
>     # authorized_keys file
>     #
>     from="apollo.backplane.com" 1024 37 8123412340...
> 
> 					-Matt
> 					Matthew Dillon 
> 					<dillon@backplane.com>
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

-- dima


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903252006.MAA22667>