Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Fix broken SSH Public Key Authentication' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Fix broken SSH Public Key Authentication
Authored by: Sesquipedalian on Sep 25, '07 09:48:26PM
While ssh-agent and sshkeychain are helpful in reducing the amount of user interaction substantially, the fact that they still require user interaction limits their usefulness for automated tasks such as mine. Instead, I use a combination of IP based and command-restriction based methods to ensure that only only specific tasks run by specific users on specific machines can happen without a passphrase. First, to quote stocksy's page, one can specify specific users and IP addresses in sshd_config:
Alternatively, you could format the line like this if you know the IPs that require remote access: AllowUsers tom@194.202.218.1 dick@stocksy.is-a-geek.com harry@18.51.1.222
And then, as shown on Mike Bombich's page on this, one can modify the authorized_keys file to only allow specific commands to execute with a given key by adding the following to the beginning of the line that contains that given public key:
command="/path/to/allowed/command"
Since I am running this only within my home network, which is secured against the outside, I can completely control which IP addresses are allowed. Thus, any would-be attacker would need to be logged into either my or my wife's account (which means they already have access to our files) on one of our home computers (which means they are mostly likely in our house, and I have larger problems to worry about), and have devised an attack that can work through rsync (since that is the permitted command). By the time all those conditions are fulfilled, having ssh keys without passphrases is a moot point.

[ Reply to This | # ]