Re: Null-passphrase vs ssh-agent

Gian G. Spicuzza wrote:
> Dear Patrick,
>
> Thank you for your response. The client must meet the following 
> conditions to successfully login:
>
> 1) Proper IP
> 2) Proper Private Key (null-passphrase so at night, when backups are 
> initiated, a user does not need to be at console)
> 3) Appropiate command (scp or rsync)
>
> Is there any other way of setting up keys for passwordless logins that 
> are more secure than null-passphrases?
>
> Thanks,
>
> Gian
>
> Patrick Morris wrote:
>
> > No, it's not.  If someone has the private key file, they can log in 
> > with it.
> > If it's got a passphrase, they need to know that, too.
> >
> > Even with ssh-agent, someone has to enter the passphrase at some point.
> > That makes it infinetely more secure than passphraseless keys.
> > -----Original Message-----
> > From: Gian G. Spicuzza [mailto:gianspi@gsent.org] Sent: Friday, March 
> > 10, 2006 8:58 AM
> > To: secureshell@securityfocus.com
> > Subject: Null-passphrase vs ssh-agent
> >
> > Hello.  I have implemented PKA with a null-passphrase instead of using
> > ssh-agent.  Is this just as secure as using ssh-agent?
> >
> > Thank you,
> >
> > Gian G Spicuzza
> >
> >
> >
> >
> >
> >
> >  


Not really, not unless you want to have your password in a text file & 
redirect form stdin, but that is less secure then passphrase-less keys. 
Could automate with an expect script or a perl wrapper but you still 
have the password in a text file.

Only other suggestions is to use a restricted shell for the account you 
want to cron out & see if you can get by with a non-privileged account 
depending on what you need it to do.

hth,
 Jesse