[olug] SSH public/private keys

Christopher Cashell topher at zyp.org
Wed Nov 12 00:13:30 UTC 2003


At Tue, 11 Nov 03, Unidentified Flying Banana Eric Penne, said:
> Here is a little howto on using ssh without a password to log in to places.

[Snip: Instructions on setting up SSH with RSA/DSA key authentication.]

> I log off of olug.org then I try to log back into olug.org and presto! I
> don't need a password.

Hrm. . . I think you're missing a step, here.  My experience is that you
need to use ssh-agent[1] in order to bypass entering a password each
time you login to a new machine.

Using RSA/DSA keys allows you access to an account without using/knowing
the actual account password, but it does still require you to know the
password for the RSA/DSA key.

The only other way around entering a password each time (without using
ssh-agent) that I know of would be to use an empty (blank) password when
you create the SSH RSA/DSA key.  In my opinion, this would be a Very Bad
Idea (tm).

> Back to security.  Remember that you don't want to leave the account that
> has your private key (.ssh/id_dsa) open to anybody or they could use that
> to login to the server without the password.  You should probably
> periodically change these keys.  It isn't that hard and it saves a lot of
> typing if you login to a certain machine many times.

Proper use of SSH RSA/DSA keys should be fairly secure.  You shouldn't
have to change the key for a very long time, provided you ensure that
your private key is not accessible.  Changing the password on your
private key is, of course, a good idea, and should be done regularly.

> Eric Penne

 [1] ssh-agent is like a password cache for SSH.  You start it up,
     frequently as part of a login script, and then use 'ssh-add' to
     tell it about an SSH key and the corresponding password.  From that
     period on, any requests for that SSH key will be handled.

-- 
| Christopher
+------------------------------------------------+
| A: No.                                         |
| Q: Should I include quotations after my reply? |
+------------------------------------------------+



More information about the OLUG mailing list