Question on SSH_ASKPASS
Gert Doering
gert at greenie.muc.de
Fri Dec 25 22:55:03 EST 2009
Hi,
On Thu, Dec 24, 2009 at 08:51:25AM -0800, Carson Gaspar wrote:
> Gert Doering wrote:
> >On Thu, Dec 24, 2009 at 12:36:37PM +1300, Peter Lambrechtsen wrote:
> >>Why aren't you using authorized_keys with a public/private keys.
> >>That's what it's there for. Among other reasons.
> >
> >Unfortunately, some vendors fail to understand this. Like "Cisco". Or
> >"Citrix" (who *can* do pubkey auth, but there is no persistant storage
> >on the netscalers, so it will only work up to the next reboot).
> >
> >For the time being, us poor admins have to fall back to nastier
> >approaches... like "put passwords into files".
>
> A better approach would be to use Kerberos. Most enterprise vendors like
> the ones you mention support GSSAPI auth. Of course some don't :-(
Hmmm. I didn't have that much exposure to Kerberos yet, but doesn't
kerberos require me to manually acquire a ticket with kinit first, before
I can use that to remotely log to devices?
The scenario I have in mind is things like "automatically and unattendedly
backup the configuration of routers via SSH", and requiring a manual kinit
first would not be very useful.
But still: you're sure kerberized SSH to Cisco or Citrix Netscalers work?
I've never seen this mentioned on any of the Cisco lists, and that would
certainly be helpful for day-to-day operations.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the openssh-unix-dev
mailing list