[CLUE-Tech] ssh using RSA authentication?

Jed S. Baer thag at frii.com
Wed Nov 27 10:01:58 MST 2002 

On Wed, 27 Nov 2002 09:35:21 -0700
David Anselmi <anselmi at americanisp.net> wrote:

> Dave Price wrote:
> > Hi,
> > 
> > I am trying to set up 'no password' access to remote systems with ssh
> > and RSA keys.
> > 
> > I have built both rsa and rsa1 keys on a mandrake client - these have
> > null passwords
> 
> Null passwords is perhaps a bad idea, but may be necessary...

This is one of those difficult questions. Just to be clear, we're talking
about having a null passphrase associated with the SSH key, in particular,
with the private key portion which sits on the local machine.

I just went through this exercise, in order to setup CVS access via SSH to
SourceForge. I wasn't quite clear on the concept, so, when I generated my
key pair, I followed the guidance in the ssh-keygen manpage:

  Good passphrases are 10-30 characters long
  and are not simple sentences or otherwise
  easily guessable (English prose has only 1-2
  bits of entropy per word, and provides very
  bad passphrases.

Not realizing I'd have to enter the bloody passphrase every time I used
the key, I entered a very convoluted string. Didn't take me very long to
tire of this, and change the passphrase to null.

Of course, the question is how secure is this? If I feel confident that
nobody is going to break into my home machine and steal the private half
of the key, then it's OK. Even if someone did, as long as I use it only
for SourceForge, what's the worst thing that can happen? If someone were
to use it to insert malicious code into the repository I have access to,
it would be quickly noticed (OK, I'm playing the optimist, but it's
probably true.).

But the whole point, in this particular case, is to have security, without
having to continue typing passwords at the console.

Yes, I know that I could have my cake and eat it too, by using ssh-agent,
and at some point, I might well consider doing so.

jed
-- 
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5

More information about the clue-tech mailing list