<quote who="Mark A. Hershberger">
> Alex McKenzie <alex@boxchain.com> writes:
>
>>>> If your key falls into the wrong hands, you've given that person
>>>> passwordless access to your accounts.
>>
>> So audit all logins under that account, using that
>> keypair. Periodically look at your message log and see what IP's at
>> what times connected with it. You could even do fancy stuff like per
>> account ip exclusions with ssh.
>
> Why not just use a passphrase for keys you use interactively?
>
> Or limit the capabilities of a keypair to a single task (for keys you
> use in automated situations)?
>
> Seems like less work than remembering to audit your logs.
>
> Mark.
I was under the impression that this was for an automated backup
situation, which is what (I believe) passphraseless keypairs are meant
for. I was also assuming a limited backup account, but it can work both
ways.
Auditing logs is one of the most useful, and easiest, security tasks you
can do. It's a good habit to get into, and it can be automated with some
scripts.
...A
___________________
Nolug mailing list
nolug@nolug.org
Received on 07/21/03
This archive was generated by hypermail 2.2.0 : 12/19/08 EST