On Mon, Feb 05, 2018 at 10:49:44AM +0000, Laurie Brown wrote:
On 05/02/18 10:26, Chris Green wrote:
[SNIP]
Password-less key pairs and the judicious use of the sudoers file are perfectly valid and secure ways to perform the task(s) you describe.
ssh-add is also a valid way to deal with key pairs requiring a password where unattended tasks are to be performed.
Yes, I didn't say it wasn't possible to do with keys. I was just saying that for (some of) my ways of using ssh it's no less secure and easier to use passwords. (... and because it's easier it's more secure because you don't short-cut the security).
I use passphrase protected keys for quite of lot of ssh connections, I don't have an inherent dislike of them, but it's horses for courses.
Chris,
Key pairs with passwords, judicious use of sudoers and ssh-add, solve the issue you raised in your original post.
Yes, but it's still more complex (for the user, me) than using passwords directly, thus it's more error prone.
I've used a method which depends on ssh's ControlMaster option to sort my original problem.
Going back to password versus key for ssh if you do a search for it you will find it's an ongoing debate - rather like editor wars! :-)
Yes, a 2048 bit (or is it byte) key is more secure than a password and is more difficult to brute force. However I set up my systems so that brute forcing the password is virtually impossible, other ways to break in are far more likely. To brute force my password(s) an attacker needs direct access to the system where the passwords are stored, that's my home desktop machine, if they have direct access then cracking passwords is hardly relevant!
All the talk about vulnerability to brute-forcing passwords is mostly (totally) only relevant to servers 'out there' where others have some sort of access.