Re: Re: Re: Re: `knife ssh` to multiple servers with passphrase on key


#1

Thanks for the advice guys.

Just in case anyone wants to know how I did it, this worked for me:

ssh-agent sh -c "ssh-add && knife ssh -p2020 -x root 'name:*' 'ls -a'"

I’ll have a look at Keychain as that may be useful, however security
is important so I doubt we would want to keep the key available longer
than necessary!

Dane


#2

I don’t understand. Are you worried that someone is going to hack your
workstation, escalate privileges to root and retrieve you SSH keys off of
ssh-agent’s memory?

Then, sir, you are way more paranoid than I am; and I’m pretty paranoid.
Respect :slight_smile:

On Fri, Feb 22, 2013 at 9:13 PM, Dane Elwell mlist@xiol.co.uk wrote:

Thanks for the advice guys.

Just in case anyone wants to know how I did it, this worked for me:

ssh-agent sh -c "ssh-add && knife ssh -p2020 -x root 'name:*' 'ls -a'"

I’ll have a look at Keychain as that may be useful, however security
is important so I doubt we would want to keep the key available longer
than necessary!

Dane


#3

Workstations are often the weakest link in the security chain.

Considering that you’re now using that workstation to remotely
administer /multiple/ critical servers, it had better be the strongest link.

On 13-02-22 12:21 PM, Andrea Campi wrote:

I don’t understand. Are you worried that someone is going to hack your
workstation, escalate privileges to root and retrieve you SSH keys off
of ssh-agent’s memory?

Then, sir, you are way more paranoid than I am; and I’m pretty
paranoid. Respect :slight_smile:

On Fri, Feb 22, 2013 at 9:13 PM, Dane Elwell <mlist@xiol.co.uk
mailto:mlist@xiol.co.uk> wrote:

Thanks for the advice guys.

Just in case anyone wants to know how I did it, this worked for me:

    ssh-agent sh -c "ssh-add && knife ssh -p2020 -x root 'name:*'
'ls -a'"

I'll have a look at Keychain as that may be useful, however security
is important so I doubt we would want to keep the key available longer
than necessary!

Dane

#4

On Fri, Feb 22, 2013 at 9:52 PM, Dan Razzell danr@activestate.com wrote:

Workstations are often the weakest link in the security chain.

Considering that you’re now using that workstation to remotely administer
multiple critical servers, it had better be the strongest link.

Fair enough. So use a firewall, antivirus, encrypt the hard drive; use it
only behind a firewall; do whatever it takes.
But making security a hindrance to productivity only leads to people
working around instead of towards better security.

Can in point: if “they” can read your SSH cert out of ssh-agent, “they” can
just as easily install a key logger.
By not using ssh-agent, or restarting it very often, you have to type your
password more often, making the system less secure.


#5

Considering the command used below was sshing into machines as root, I think any talk of security being important goes out the window IMHO.

On Feb 22, 2013, at 4:52 PM, Dan Razzell danr@activestate.com wrote:

Workstations are often the weakest link in the security chain.

Considering that you’re now using that workstation to remotely administer multiple critical servers, it had better be the strongest link.

On 13-02-22 12:21 PM, Andrea Campi wrote:

I don’t understand. Are you worried that someone is going to hack your workstation, escalate privileges to root and retrieve you SSH keys off of ssh-agent’s memory?

Then, sir, you are way more paranoid than I am; and I’m pretty paranoid. Respect :slight_smile:

On Fri, Feb 22, 2013 at 9:13 PM, Dane Elwell mlist@xiol.co.uk wrote:

Thanks for the advice guys.

Just in case anyone wants to know how I did it, this worked for me:

ssh-agent sh -c "ssh-add && knife ssh -p2020 -x root 'name:*' 'ls -a'"

I’ll have a look at Keychain as that may be useful, however security
is important so I doubt we would want to keep the key available longer
than necessary!

Dane


#6

On Fri, Feb 22, 2013 at 10:15 PM, Pete Cheslock petecheslock@gmail.comwrote:

Considering the command used below was sshing into machines as root, I
think any talk of security being important goes out the window IMHO.

Good point, I hadn’t noticed. I rest my case :slight_smile:


#7

Just to clarify, yes we are SSHing in directly as root, however SSH is
configured to “PermitRootLogin without-password” and all of those
servers are accessible via a management network that is not externally
accessible except via VPN.

On 22 February 2013 21:17, Andrea Campi andrea.campi@zephirworks.com wrote:

On Fri, Feb 22, 2013 at 10:15 PM, Pete Cheslock petecheslock@gmail.com
wrote:

Considering the command used below was sshing into machines as root, I
think any talk of security being important goes out the window IMHO.

Good point, I hadn’t noticed. I rest my case :slight_smile: