need wrapper for ssh/scp

[Thomas Wouters]

On Wed, Mar 29, 2000 at 11:13:55AM -0700, Andrew Patterson wrote:
> >    % cat ~/.ssh/identity.pub | ssh fiji at twaddle \
> >         'mkdir .ssh ; chmod 700 .ssh ; cat >>.ssh/authorized-keys'

> Got this working.  I was already doing the above, but the account was
> protected by a passphrase.  I since deleted the passphrase, and everything
> works fine.  I am still a little worried about security, since enyone who
> has access to the identity.pub file can now log into the remove machine. 

No, they actually need 'identity', your private key, not 'identity.pub'.
They can give you access to their machine if they have your identity.pub
though, and that's exactly how it's supposed to work ;) 'identity' is your
private, secret key, which you can use to decrypt data encrypted by your
public key ('identity.pub') and the other way around. The passphrase is
actually a password to decrypt your secret key ('identity'), which you can
choose to leave decrypted.

> Embedding passwords in scripts, however, introduce their own sort of
> security holes.

Indeed. If your purpose is, however, to ask a person for their passphrase
once, and then use it multiple times for different ssh/scp connections, you
can use the pty module I pointed at in my previous message.

You might also want to look at ssh-agent, which is a passphrase-agent. Give
it your passphrase once, and all your sub-processes (or indeed any of your
processes that have the 'SSH_AUTH_SOCK' environment variable set to the
right socket) can start up ssh without needing to supply a passphrase. Less
secure again, but more secure than hardcoding passphrases in scripts or
leaving the private key unprotected.

But then again, for most situations, such excessive security isn't
necessary. Just make sure you are really in that kind of situation ;)

-- 
Thomas Wouters <thomas at xs4all.net>

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!