Question on SSH_ASKPASS

Gert Doering gert at greenie.muc.de
Fri Dec 25 22:55:03 EST 2009


Hi,

On Thu, Dec 24, 2009 at 08:51:25AM -0800, Carson Gaspar wrote:
> Gert Doering wrote:
> >On Thu, Dec 24, 2009 at 12:36:37PM +1300, Peter Lambrechtsen wrote:
> >>Why aren't you using authorized_keys with a public/private keys.  
> >>That's what it's there for. Among other reasons.
> >
> >Unfortunately, some vendors fail to understand this.  Like "Cisco".  Or
> >"Citrix" (who *can* do pubkey auth, but there is no persistant storage
> >on the netscalers, so it will only work up to the next reboot).
> >
> >For the time being, us poor admins have to fall back to nastier 
> >approaches... like "put passwords into files".
> 
> A better approach would be to use Kerberos. Most enterprise vendors like 
> the ones you mention support GSSAPI auth. Of course some don't :-(

Hmmm.  I didn't have that much exposure to Kerberos yet, but doesn't
kerberos require me to manually acquire a ticket with kinit first, before
I can use that to remotely log to devices?

The scenario I have in mind is things like "automatically and unattendedly
backup the configuration of routers via SSH", and requiring a manual kinit
first would not be very useful.

But still: you're sure kerberized SSH to Cisco or Citrix Netscalers work?
I've never seen this mentioned on any of the Cisco lists, and that would
certainly be helpful for day-to-day operations.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the openssh-unix-dev mailing list