Re: [Pan-users] complex question less to do with pan, more to do with?internet

[Carl Wilhelm Soderstrom]

>       I know there is a way you can set up a password-less key, which 
> basically 
> means if the local key matches the one you've stored on the remote 
> machine, you don't get prompted at all when logging in.  

yep. it's very convenient at times, and useful for automated tasks.
'man ssh-keygen' will give you the information; tho it's pretty dense.

basically, you run ssh-keygen (plus some options, like 'ssh-keygen -t dsa -b
2048 -C "My nifty key"), don't put in a passphrase when it asks you; then
copy the resulting id_dsa.pub key to .ssh/authorized_keys on the remote
machine you want to log into. 
(you'll need to make sure that the following values are set in your
sshd_config file, tho they may be already set by default:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys 
)


you can also use this to strengthen security; by putting a passphrase on the
key. this way, someone would need the key ('something you have') and know
the password ('something your know') instead of just needing to know the
password. this satisfies two of the 'security triad' parts (something you
have, something you know, and something you are), instead of just one.

I usually consider that more trouble than it's worth tho; unless you're
paranoid for a hobby, ;)

Carl Soderstrom.
-- 
Systems Administrator
Real-Time Enterprises
www.real-time.com