[NBLUG/talk] Duplicating a server

Todd Cary todd at aristesoftware.com
Mon Nov 21 16:35:08 PST 2005


I am not sure how to setup SSH key authorization.  In the $HOME/.ssh 
directory, I have the file: authorized_keys.  The IP is associated with 
my destination.

How to create the appropriate files on the two servers is not clear to 
me.  Any help is appreciated.

Todd

Chris Palmer wrote:

>Lincoln Peters writes:
>
>  
>
>>And, yes, the --password-file argument has the same problem of storing
>>the password in clear text.
>>    
>>
>
>As does SSH key authentication, if you don't protect the private key
>file with a password (and, really, even if you do).
>
>If you want automation, there has to be a cleartext secret somewhere, in
>some form.
>
>This situation:
>
>    $ umask 077
>    $ cd
>    $ mkdir secrets
>    $ vi secrets/rsync-passwd
>    $ ls -al secrets
>    total 8
>    drwx------    3 chris  chris   102 Nov 21 11:37 .
>    drwxr-xr-x   70 chris  chris  2380 Nov 21 11:37 ..
>    -rw-------    1 chris  chris    16 Nov 21 11:37 rsync-passwd
>
>is pretty good, as far as it goes. rsync-passwd is as well-protected as
>your private SSH key.
>
>(Note that setting umask first, and using an interactive editor instead
>of echo, is important for security -- avoiding race conditions and
>attackers looking at the process table.)
>
>  
>
>>The problem is that the security chain is only as strong as its
>>weakest link.  If you forget even one tiny little detail, it puts the
>>entire system at risk.  So you're probably better off using SSH key
>>authentication, thus avoiding the issue of passwords altogether and
>>thereby eliminating several links from the chain.
>>    
>>
>
>I really don't think using SSH keys is much different. There is still a
>stored secret; it's just bigger than your average password. The only
>real difference between a password file and a cleartext private key is
>that you can limit what SSH will execute when using key authentication.
>(That mechanism is not foolproof either; see also sudo hijinks.)
>
>
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>talk mailing list
>talk at nblug.org
>http://nblug.org/cgi-bin/mailman/listinfo/talk
>  
>

-- 
Ariste Software
2200 D Street Ext
Petaluma, CA 94952
(707) 773-4523




More information about the talk mailing list