Non-interactive root access via hostbased using shosts.equiv
Jason Stone
jason at shalott.net
Sat Mar 30 11:01:46 EST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I'm looking for a solution to the following problem -
> I need to be able to use OpenSSH from root on one
> system to perform work on several dozen other systems
> using some automation. The restrictions that have to
> be met to keep the business happy are that no
> cleartext passwords or unencrypted private keys can be
> stored on disk. Since this is within an automated
> environment, there is no opportunity for human
> intervention to type in passwords or passphrases.
Uh, basically you can't do this. You have to have _some_ sort of
authentication token, and eventually it has to be provided in cleartext to
the processes that use it, either by a human providing or decrypting the
token, or by the token being already available to the system in plain
text.
> The original intent was to use host-based
> authentication via the shosts.equiv file.
Note that the key, the client machine's private host key, is the key you
are using to authenticate, and it is sitting on the disk in plaintext.
This is no different from giving root a regular, per-user (ie,
/root/.ssh/authorized_keys), un-encrypted key, but at least with the
per-user key, you can add restrictions to the key on the server side only
allowing logins from the main client machine, only allowing one or a
small, well-defined set of commands to be run with that key, etc.
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE8pQBtswXMWWtptckRApA1AJ9tj2h62nRhKOQcUUHLFTBj1kDaQQCfaq/r
BG/AjfOSfE6aBxuA1TvL2lY=
=aXSI
-----END PGP SIGNATURE-----
More information about the openssh-unix-dev
mailing list