Passing password in ssh

[Aldo Foot]

On Jan 22, 2008 5:36 PM, Craig White <craigwhite at azapple.com> wrote:

> On Tue, 2008-01-22 at 11:38 -0800, Aldo Foot wrote:
> >
> >
> > On Jan 22, 2008 8:34 AM, Gijs <info at boer-software-en-webservices.nl>
> > wrote:
> >         Or you can do it the "easy" way. Use public keys without a
> >         password on it.
> >         You won't have to type in any password, so you won't get the
> >         popup
> >         anymore, and it's relatively secure.
> >
> > I agree. Passwordless SSH keys are _very_ insecure in my opinion.
> > Just pray that the account owning they keys is not compromised...
> > because then
> > the floodgates are opened.
> > Of course this is a non-issue if your systems are in some private net
> > no exposed
> > to outside traffic.
> ----
> I'm confused by this comment.
>
> If you use ssh keys, does it matter whose accounts is compromised? Once
> the account is compromised, couldn't they just load a keylogger?
>
> And then, ssh keys still have passwords unless the creator of the keys
> decides to omit a password.
>
> Am I missing something here?
>
> Craig
>
>
Well, the scenario I described actually happened years ago to someone I
knew.
If I create keys without a passphrase, and share the public keys between
two systems (A and B), then from system A I can log to system B by
simply saying "ssh user at B". This is very convenient for cron jobs.

This is particularly risky when the systems are accessed by the general
public.
How does someone finds out the username? I don't know... company phonebook,
online profiles listing first/lastname, etc.

~af
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080122/bbae5982/attachment-0001.htm>