can't figure out ssh, read lots of docs...
Lowell Gilbert
freebsd-questions-local at be-well.ilk.org
Thu Jun 2 20:20:01 GMT 2005
Giorgos Keramidas <keramida at ceid.upatras.gr> writes:
> On 2005-06-02 18:01, Lowell Gilbert <freebsd-questions-local at be-well.ilk.org> wrote:
> >Giorgos Keramidas <keramida at ceid.upatras.gr> writes:
> >>On 2005-06-02 10:38, Lowell Gilbert <freebsd-questions-local at be-well.ilk.org> wrote:
> >>> The original poster wanted to do automated backups via scp. This
> >>> kind of application *requires* empty passphrases
> >>
> >> Nope. scp works fine with a pass-phrase too, if one uses ssh-agent
> >> properly, regardless of the remote user being root or not.
> >
> > You're recommending leaving an ssh-agent instance running unattended
> > instead of having a passphrase-less key?
>
> Not really. In fact, this was exactly what I said is a "bad idea" in a
> previous post.
Okay, so how *do* you apply the agent approach to automated
operation? The "automated" process only works when the operator
is present?
> > That just means you have to protect the agent's socket as carefully as
> > you would have to protect the unencrypted key file.
>
> For only as long as the agent process is alive. Which is usually a lot
> less than "forever" -- the time for which an unencrypted key which also
> exists in authorized_keys works.
>
> > You are right: there *are* ways to give access to the key other than
> > empty passphrases. The only real disadvantage of the agent approach
> > is that the key becomes inaccessible when the system reboots.
>
> Exactly (or when I issue `pkill ssh-agent').
That can be a *huge* disadvantage. For my home network, I'm willing
to have operator intervention required to do a backup. But I wouldn't
recommend that approach for a commercial operation.
More information about the freebsd-questions
mailing list