[NCLUG] ssh2 - hostbased authentications

[dobbster]

Quent wrote:
> 
> The risk is that root's private key is stored unencrypted if it's created
> with no passphrase.
> 
> Although it's stored so only root can read it, if someone got a copy they
> could login to any remote host that trusts that key. With a passphrase,
> the key is encrypted so anyone getting a copy would have to crack the
> encryption in order to use the key.
> 
> I think this is another trust problem: if B trusts A and C trusts B,
> then using ssh-agent and the private key from A, you can get C to trust A.
> 
> Of course, if someone can get to a file that's only readable by root
> there are other problems.
> 
>         Quent

I haven't worked on this for a bit, but now I have done as you
suggested, using a null passphrase.  I never managed to get the
"hostbased" authentication to function properly for root; I suspect it's
maybe because the IP address of the "local" machine doesn't resolve in
DNS.

Is it sufficient to have /root/.ssh/ on both the local and remote
machines set to 400?  I would think that this would minimize the risk.

Thanks,

Mark (dobbster at frii.com)