Re: [Expectperl-discuss] Executing consecutive commands

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> 	Something I don't quite understand about this is that RSA
> authentication only seems to check to see if you have a matching 
> key and password. That is to say, it doesn't seem to check to
> make sure the host you are coming from is the one that matches
> your key. If you set up RSA w/ no password, then all someone
> would need to do is copy your key to their machine to gain
> access. This doesn't seem especially secure to me vs. any 
> other method, especially .shosts.

Yes, and that is why the ssh docs disapprove keys without passwords and 
recommend using ssh-agent.  Unfortunately automating things means you 
have to compromize.

> Maybe this is just local 
> configuration, but it seems to be the default. Is there some
> way to turn on host checking that I missed?

Yes, you can specify 'from=<hostnamepatterns>' in authorized_keys to 
limit accessibility to the account.  This isn't entirely secure either, 
but to circumvent it, the attacker must also compromize DNS and/or IP 
routing.  Note that even a client host key check doesn't mean improved 
security if the client system is compromized.

> The one thing about keeping cleartext passwords around that's good
> is that the security implications are obvious.

Unfortunately not to everyone... :-(

I concurr that there is no principal difference in security between a 
file with cleartext passwords and a key file with non-password-
protected keys from a security point of view.  But using the second one 
is much simpler, you may even not need Expect for it, normal ssh calls 
are often enough!  And reduced complexity benefits everyone.

Roland
--
RGi...@cp...