SSH password as a command-line parameter?
Matthew Kuiken
matt.kuiken at verizon.net
Sun Jun 18 16:39:24 UTC 2006
Daniel Carrera wrote:
> Neil Blakey-Milner wrote:
> <snip>
>> In particular, if you do have a key that doesn't require a passphrase
>> (because it is going to be used for an automated process), it may be
>> best to limit that key to only performing a single command. This can be
>> done in the authorized_keys file.
>
> That's an option, though naturally I like having a password. Though I
> guess that technically if someone can grab my private key they can
> probably grab the script with the password as well...
>
>> Passphrases don't have to be irritating, since Ubuntu graphical logins
>> run an "agent" (read the ssh-agent manual page) that allows you to
>> unlock the keys with their passphhhrases for the current session.
>
> I already know ssh-agent, but I don't think I want to depend on it. If
> I restart my computer for some reason and forget to run it I might go
> for days without backups. I don't find passwords irritating.
I got the impression from the password comment that you were not using
keys. Sorry for the misunderstanding.
I'm certain ssh-agent could be set up to automatically run when you log
in to Gnome/KDE. It could prompt you for the passphrase then. I've
seen pages that talk about installing ssh-askpass for this purpose.
Another option is libpam-ssh. It uses a PAM module to use the password
you gave to gdm to open the agent. This is slightly less secure than
using a separate passphrase, but still requires the hacker to at least
get one password before getting full access. It also prevents a stolen
key file from being useful unless the passphrase was stolen, too.
HTH,
-Matt
More information about the ubuntu-users
mailing list