Mikkel L. Ellertson wrote:
Yes, that is a problem. You can only hope that such a user would have good pass phrase(s) on their key(s). Though I would expect the attacked to have more luck using the information in known_hosts to pick targets. If you only use "unlocked" keys for cron jobs, and then limit access on the remote system, you can keep the risk manageable. I can picture a cron job that does a backup to a remote machine, or a backup client that uses an ssh link to communicate to a backup server on a remote machine using "unlocked" keys.
Mine goes through a vpn. It's possible to, to play tricks with iptables: a connection to ssh from example.com gets redirected to port 22022 where there's another ssh running, or DNATted to another box.
-- Cheers John -- spambait 1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-)
