Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <00a701c32135$7e54b610$6400a8c0@FoxtrotTech0001>
From: "Bill C. Riemers" <cygwin AT docbill DOT net>
To: <cygwin AT cygwin DOT com>
References: <3500515B75D9D311948800508BA37955014BDB6C AT EX-LONDON>
Subject: Re: Keygen for ssh (Was RE: Question about "rexec")
Date: Fri, 23 May 2003 10:13:20 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

> Just for future reference a nice quick way to do all this is to use
Corrinas
> script (comes with the open ssh package)
> so just
> ssh-user-config -y
> (press enter for blank passphrase a few times)

Good idea.  A lot simpler.

> cd ~/.ssh
> sftp user AT remotehost
> cd .ssh
> mput *

Bad idea.  Never copy both the private and public keys together.  In most
cases, you should be copying the public key.  However, there are rare cases
when you want to copy a private key instead.

Also, just because someone wants to be able to connect from machine A to
machine B without a passphrase does not mean the reverse is true.  For
example, when I login to freeshell.org or sourceforge.net I don't use
passphrase.  However, I don't want anyone on those machines, including the
system administrators to be able to connect back to my home computer.  I
know a system administrator on a company intranet who was fired for
copying and using confidential information.

Since a system administrator could replace 'ssh' or 'ssh-keygen' with a
version that logged my password, that means I need to take extra
precautions.  The most secure thing to do is to never allow a connection
from an untrusted machine to a trusted machine.  However, if you do need to
do so, generate a key pair in advance on the trusted machine that requires a
passphrase.  Install the private key on the public machine and the public
key in the authorized_keys file of the trusted machine.   Only use the key
pair once, before removing the public key from the authorized_keys file and
generating a new pair.

                                                      Bill



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/