From owner-freebsd-security Thu Mar 25 12: 9:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id 6B8A815371 for ; Thu, 25 Mar 1999 12:09:15 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.2/RDY&DVV) id MAA22667; Thu, 25 Mar 1999 12:06:16 -0800 (PST) Message-Id: <199903252006.MAA22667@burka.rdy.com> Subject: Re: Kerberos vs SSH In-Reply-To: <199903251828.KAA00857@apollo.backplane.com> from Matthew Dillon at "Mar 25, 1999 10:28:50 am" To: dillon@apollo.backplane.com (Matthew Dillon) Date: Thu, 25 Mar 1999 12:06:15 -0800 (PST) Cc: miket@dnai.com, gaskell@isrc.qut.edu.au, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon writes: > :Matthew, > : > :Another quick question. Under the configuration described below > :can one system issue an ssh command from a script to another system > :without having to include a password? We have automated scripts > :that will run nightly that will run on one server and execute commands > :on other servers using ssh. Suppling such a password to the > :Kerberos kinit application before using ssh in such a script will be > :problematic. I assume this is why you mentioned your use of the No, it won't be. You can always use host key in cases like that rather than user keys. > :"authorized_keys" files for limited purposes? Any other suggestions? > : > :Mike Thompson > > You can always use ssh's authorized_keys mechanism, in which a user ( or > root ) on one machine gives root on another machine access via a keypair. > Typically, in order for this to work from cron, you cannot put a password > on the private key, so the administrative machine from which the ssh is > issued must be secure. > > People sometimes forget that in a typical setup, if someone steals the > private key from machine A for which machine B has entered the public > key in its authorized_keys file, that person can use it to ssh to > machine B from anywhere. With ssh, you have to use the > 'from="fulldomainname"' option *IN* the authorized_keys file to ensure > that the key authenticates *AND* that it is coming from a specific client. > e.g. > > # authorized_keys file > # > from="apollo.backplane.com" 1024 37 8123412340... > > -Matt > Matthew Dillon > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message