[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] automating ssh script

Ed Landa wrote:
>>What I don't know, and maybe someone can enlighten me....if someone hacks my
>>system and steals my private key, and steals all the ssh-agent information,
>>will that not also give them the same capability as if they had the passphrase?
> No, the passphrase and key are two separate parts of the authentication
> process.  The key roughly corresponds to "something you have", while the
> passphrase is "something you know".  Only the combination of the two
> serves as an authentication.

A given.  I was running on the assumption that the information in ssh-agent was persistant, but it is not.  It is per session.
The passphrase will be used to encrypt the sensitive part of the key using 3DES.

So, it appears the model is:
Start session/login.
   Start ssh-agent and export environment.
     Run ssh-add
       If there are passphrases on the private keys, you are prompted for them.
       The agent now stores the unencrypted key in memory.
     Run ssh/scp/sftp as you please
       The agent handles all authentication for you using the unencrypted key it stores in memory.

So, using this method, you still get an initial prompt for the passphrase if the key contains one.  Not ideal for automation.

And So, you'd have to be one heck of a good hacker or ssh-agent would have to be seriously flawed in order to steal the unencrypted key from it.

Lost in Tokyo,

This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.