[TriLUG] Remote Execution using remctl
Alan Porter via TriLUG
trilug at trilug.org
Wed Sep 2 14:15:38 EDT 2015
As usual, John has good advice.
However, if you're new to SSH keys, don't get hung up on the idea of
keys that are themselves encrypted using passphrases. That's a leap of
logic that can be hard to swallow when you're first converting from
passwords to keys.
In general, I keep my keys without passphrases on machines that I
operate (my personal laptop). I add passphrases to keys that are stored
on someone else's machines (work laptop). That is... I am not afraid
that you'll break into my laptop and steal the keys that will let you
into my web server. But since my company's IT department has a backup
of my $HOME, I encrypt those keys with a passphrase.
(Actually, a far better motivation for encrypting my keys with a
passphrase came when I learned that my backup of $HOME was accessible by
my prankster co-workers).
Without a passphrase:
* $HOME/.ssh/id_rsa is readable and usable without a passphrase.
* Scripts work without user interaction - rsync files every night at
midnight, and so on.
With a passphrase:
* The $HOME/.ssh/id_rsa file is encrpyted. The IT department can't
use that key.
* You can't use that key in a script that runs via cron, because
there's no one to unlock the key file.
* There are tools like "ssh-agent" that will remember your passphrase
for a while (like until you log out), so you are not continuously
pestered to enter it.
But yes, like John says, turn off passwords and turn on keys:
* for root (using "PermitRootLogin without-password" in
/etc/ssh/sshd_config)*
* for everybody (using "ChallengeResponseAuthentication no" and
"PasswordAuthentication no")
It'll change your life.
Alan
* I know, that setting sounds scary. It's not what it sounds like.
More information about the TriLUG
mailing list