LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   ssh password caching? (https://www.linuxquestions.org/questions/linux-software-2/ssh-password-caching-4175484725/)

stateless 11-15-2013 05:57 PM
ssh password caching?
 
Hey there. I password protected an ssh private key on a system for security reasons. However, entering the password every single time is getting to be a bit annoying, and even problematic in some applications. I seem to recall hearing that Linux has some kind of short-term password caching mechanism, but I can't remember any of the details. Can I get some guidance from the gurus?

unSpawn 11-16-2013 04:10 AM
Quote:
Originally Posted by stateless (Post 5065299)
Hey there. I password protected an ssh private key on a system for security reasons. However, entering the password every single time is getting to be a bit annoying, and even problematic in some applications. I seem to recall hearing that Linux has some kind of short-term password caching mechanism, but I can't remember any of the details. Can I get some guidance from the gurus?
This will always be a trade-off. IMHO looking for a short-term password caching mechanism is choosing the easy way out. That has nothing to do with security. If a key is used by human users then there's no single other simple way than to require users to use ssh-agent. If a key is used by a non-human user then your options are limited in that you could ponder using a pass phrase-less key provided you do not use the root account and limit network, user, file system access, connection options and the commands that can be run. In case of the latter it would be good to strengthen your system to ensure a proper audit trail can always be retrieved afterwards.

haertig 11-17-2013 08:46 PM
As unSpawn mentioned, if you want a passphrase protected key, you will need an "ssh agent". In the Windows world, where many people use "putty" for their ssh client, the agent is named "pageant" and comes with the putty distribution. In the Linux world, the ssh agent is named "ssh-agent" (who would have thought?!)

Another option is to keep your private key, with no passphrase, on an external thumbdrive that you plug into your computer when ssh'ing. Then remove the thumbdrive when you're done for the day. And never lose the thumbdrive into some evil villians hands, since you private key is unprotected. You could also encrypt the thumbdrive so that even though your private key has no passphrase, it is still protected. But if you're going to that trouble, might as well just use an ssh agent instead.

For software using the keys, I don't know of any way to do that except by using no-passphrase keys. Who knows, somebody may be able to suggest a way to do that, but I don't know a way personally.


All times are GMT -5. The time now is 09:21 AM.