Aldo Foot wrote:
If the remote machine must access you machine, then set it up so the key runs one command on the local machine. If you don't trust the administrator on the remote machine, then a pass phrase on the key does not help, unless the administrator does not have the pass phrase. You would probably be better off having the key on some type of media you bring with you.Controlling access to the media storing the keys and accounts is of my greatest concern in particular if the system is located in some other city and someone else admins the machine.Maybe I'm too paranoid.
Now, if this were interactive access, then it would be different. But if you have to pass the pass phrase as part of a script, or read it from a file, then the only advantage is that the cracker has to grab an extra file or two. Now, if you can arrange things so that you do not need root access on the remote machine, then you can create a user specifically for the access, and limit the access. If you have to allow automated remote access, then there is no way to make it totally safe. But you can limit the damage that can be done.
Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
Attachment:
signature.asc
Description: OpenPGP digital signature
