Re: Is SSH worth it??

[Richard Caley <rjc () interactive co uk>]

> I don't think so - ssh-agent is useful on your actual workstation, when
> you have to do regular logins - it caches the passphrase without the
> need to save it in a file somewhere. As you probably won't be doing
> multiple root logins from a single ssh-session, the usefulness is almost
> zero.

Consider a setup where you run an ssh-agent for root at boot time, and
have a suitably trusted person load in some keys. From now on root
processes can use ssh to communicate with other machines who decide to
trust those keys.

The advantage is that the key is not available (unencrypted) in a file
anywhere. This prevents someone rebooting the machine single-user and
reading the key.

Of course, it is only as secure as (a) root access to that machine and
(b) ssh-agent and it's ability to hide the key, but the first is true
of almost anything and the second at least limits your exposure to one
program which is hopefully maintained by people who think about
security issues.

Personally, I wouldn't allow automated root operations from other
machines by any method. Too much room for small errors and typoes to
leave you wide open.

--
Mail me as MYFIRSTNAME () MYLASTNAME org uk        _O_
                                                 |<