can't figure out ssh, read lots of docs...

Lowell Gilbert freebsd-questions-local at
Thu Jun 2 20:20:01 GMT 2005

Giorgos Keramidas <keramida at> writes:

> On 2005-06-02 18:01, Lowell Gilbert <freebsd-questions-local at> wrote:
> >Giorgos Keramidas <keramida at> writes:
> >>On 2005-06-02 10:38, Lowell Gilbert <freebsd-questions-local at> wrote:
> >>> The original poster wanted to do automated backups via scp.  This
> >>> kind of application *requires* empty passphrases
> >>
> >> Nope.  scp works fine with a pass-phrase too, if one uses ssh-agent
> >> properly, regardless of the remote user being root or not.
> >
> > You're recommending leaving an ssh-agent instance running unattended
> > instead of having a passphrase-less key?
> Not really.  In fact, this was exactly what I said is a "bad idea" in a
> previous post.

Okay, so how *do* you apply the agent approach to automated
operation?  The "automated" process only works when the operator 
is present?  

> > That just means you have to protect the agent's socket as carefully as
> > you would have to protect the unencrypted key file.
> For only as long as the agent process is alive.  Which is usually a lot
> less than "forever" -- the time for which an unencrypted key which also
> exists in authorized_keys works.
> > You are right: there *are* ways to give access to the key other than
> > empty passphrases.  The only real disadvantage of the agent approach
> > is that the key becomes inaccessible when the system reboots.
> Exactly (or when I issue `pkill ssh-agent').

That can be a *huge* disadvantage.  For my home network, I'm willing
to have operator intervention required to do a backup.  But I wouldn't
recommend that approach for a commercial operation.

More information about the freebsd-questions mailing list