SSH Connectivity and Support
I am sorry for the lack of posts here, I recently changed positions which has kept me fairly busy. I just started at MIT in their application infrastructure services group and have been focusing on my new position more than my blogs. This weekend I started reading and came across a post from Kris at Geekbits3 that was relevant to me and I am sure will be relevant to all admins that manage a large number of UNIX hosts.
On most Corporate networks, telnet is disabled and ssh is required for connectivity between Unix hosts. SSH requires a password and depending on how it is configure, could also require a key phrase.
Kris outlines a secure configuration of connecting to your hosts with SSH that eliminates the need for a password or an SSH key phrase. This process needs to be followed on all of your servers, however once in place will increase your efficiency and provide you with extend remote support on all of your servers.
Here is an overview of Kris's post ......
Passwordless Login For SSH
I've recently set-up a new backup server, I wanted to be able to automate backups from my workstations to the server. I will be using OpenSSH
(scp) as the transfer agent between the workstations and the server. By default the OpenSSH server asks for a password every time you login, therefore automation is impossible, without a bit of tweaking.
Creating an environment where passwords are unnecessary can be achieved using public-key cryptography
There are a number of steps that need to be completed, on both workstation and server, to achieve password-less logins. I have written the required server commands within the `ssh' command, to simplify the process. You will need to have a working OpenSSH server, and user login before beginning.
You could also look at using kerberos and GSSAPI for authentication, which also eliminates the need to enter a password on every server. One additional advantage of using GSSAPI is that it can also function as a single sign-on for web apps, mail servers, jabber, and other services. I'm currently in the process of kerberizing as many services as possible in my own environment. Single sign-on is advantageous because it eliminates the need for users to remember multiple passwords and is also more secure than tradition password authentication.
I didn't read the entire linked post, but are you using ssh-agent to keep your keys saved for your session? Eliminates the need to retype the passphrase every time you ssh to a box.
Posted by:Jake | January 09, 2008 at 01:01 PM