DSL logs

Devin Carraway aqua at atlantic.devin.com
Thu Jan 27 00:53:33 PST 2000

On Thu, Jan 27, 2000 at 12:43:04AM -0800, Mitchell Patenaude wrote:
> Your problem is that ssh is stopping to prompt for a password, and that 
> isn't going to work.  You need to get ssh to let you in on RSA/.shosts
> authentication, so it doesn't require a password.

	The quick instructions, if you haven't already generated your SSH
key pair:

	ssh-keygen (pick a nice long passphrase with some punctuation)
	ssh bolt.sonic.net 'cat >> .ssh/authorized_keys' < ~/.ssh/identity
	ssh bolt.sonic.net 'chmod go-rwx ~ ~/.ssh ~/.ssh/*'

> access to normal users.  If Bolt is compromised, then an attacker 
> *could* sniff your password with this scheme, whereas they wouldn't
> be able to if you just did a direct, unecrypted connection to the

	RSA authentication reduces this problem considerably, yes.  If
you're running ssh-agent (which you will probably find convenient, if you're
using fetchmail), you should generally instruct ssh not to forward the agent
to hosts you don't trust (never trust a shell server).  That's done by
adding an entry to your ~/.ssh/config file of the general form:

Host isp.shell.server
ForwardAgent no
ForwardX11 no

(the X11 part isn't related, but isn't a bad idea either)

	Lots of neat tricks available in that file, BTW.  Setting default
ciphers and compression levels is particularly useful.

Devin  \ aqua(at)devin.com, finger for PGP;  http://www.devin.com
Carraway \ IRC: Requiem  GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++

More information about the talk mailing list