Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Message-ID: <00a701c32135$7e54b610$6400a8c0@FoxtrotTech0001>
From: "Bill C. Riemers" <cygwin@docbill.net>
To: <cygwin@cygwin.com>
References: <3500515B75D9D311948800508BA37955014BDB6C@EX-LONDON>
Subject: Re: Keygen for ssh (Was RE: Question about "rexec")
Date: Fri, 23 May 2003 10:13:20 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

> Just for future reference a nice quick way to do all this is to use
Corrinas
> script (comes with the open ssh package)
> so just
> ssh-user-config -y
> (press enter for blank passphrase a few times)

Good idea.  A lot simpler.

> cd ~/.ssh
> sftp user@remotehost
> cd .ssh
> mput *

Bad idea.  Never copy both the private and public keys together.  In most
cases, you should be copying the public key.  However, there are rare cases
when you want to copy a private key instead.

Also, just because someone wants to be able to connect from machine A to
machine B without a passphrase does not mean the reverse is true.  For
example, when I login to freeshell.org or sourceforge.net I don't use
passphrase.  However, I don't want anyone on those machines, including the
system administrators to be able to connect back to my home computer.  I
know a system administrator on a company intranet who was fired for
copying and using confidential information.

Since a system administrator could replace 'ssh' or 'ssh-keygen' with a
version that logged my password, that means I need to take extra
precautions.  The most secure thing to do is to never allow a connection
from an untrusted machine to a trusted machine.  However, if you do need to
do so, generate a key pair in advance on the trusted machine that requires a
passphrase.  Install the private key on the public machine and the public
key in the authorized_keys file of the trusted machine.   Only use the key
pair once, before removing the public key from the authorized_keys file and
generating a new pair.

                                                      Bill



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/