On 4 October 2012 10:46, Chris Green cl@isbd.net wrote:
On Thu, Oct 04, 2012 at 10:30:09AM +0100, Laurie Brown wrote:
On 04/10/2012 09:59, Chris Green wrote:
On Wed, Oct 03, 2012 at 08:07:21PM +0100, Keith Edmunds wrote:
On Wed, 3 Oct 2012 19:49:27 +0100, cl@isbd.net said:
At present I don't allow passwordless (i.e. public key with no passphrase) logins
You can't stop them. There is no way, from the server, to ascertain whether or not the key being used to authenticate has been protected by a passphrase because that is decrypted on the sending system, not the receiving one.
Yes, but if the key isn't installed on the server then it's not going to work is it! I.e. it's down to me (as it's my server) to decide what keys to install, and if all the keys have passphrases then you need to know the passphrase to get the key to log in.
It doesn't work that way, Chris. The password is entered at the client end, as in, remote from the server. All the server does is ascertain that it's the correct certificate. It has no way of knowing whether it had a passphrase or not.
Yes, sorry, I am the client as well as it being my server. So it's up to me (as client) whether to give a passphrase to the key or not.
As I said earlier. it's not terribly clear what you're trying to achieve here...
See my much longer reply.
Will ssh-agent do what you need? It works per session so if you stay logged in I *think* it will do what you need - if I understand you correctly.