"When asked to enter a passphrase, do so. An ssh key without a passphrase is completely vulnerable if stolen."
That's true, but how to do cron jobs? An 'expect' script literally has your unhashed passwd. Only multiple key pairs I guess.


@gemlog @tomasino I agree here. I have lots of scripts. How do I handle a key with a password from a shell script?

@gemlog @tomasino Not sure that works with rsync -avz --delete user@server:/stuff or scp, etc. I will stick with no passwords and protect the private keys.

@adamd @tomasino
I honestly have no idea. I use rsync over ssh the same way you do for like 20 years now. 'expect' is the only thing that comes to mind as an answer, although I've never used it. I think I tried once long ago for a dial-up connection and gave up on it.

@adamd @gemlog there's a number of ways. I personally keep the passwords in LastPass and use it with ssh-agent to make everything magical.


@tomasino @adamd
Well, I may be wrong, but my thinking is that if I'm storing a key pair on the same box and then just also storing a pass phrase on the same box and I'm compromised, what is the difference?

@gemlog @adamd LastPass has its own mechanisms for password protection and stores it's db encrypted

@tomasino @adamd
Right after I pressed send I saw 'local hash' coming!

@gemlog @adamd you can do something similar with keypass or 1password, or just pick memorable passwords for your keys like "this is a phrase for tilde town". Knowing how to use ssh-agent is really helpful for making lots of keys more manageable.

Credit to @mwlucas and his ssh mastery book for it's fantastic information

@tomasino @gemlog @mwlucas
I'll do some looking around / learning. I was a keepassxc fan but wanted a cli way. I believe keepassxc has a cli way. At the time I did not know that. It was a long time ago. It will be a lot of work to move now as I have lots of information in my pass-store.

@adamd @gemlog @mwlucas I've been incrementally fixing my key situation. Michael's book severely shamed me. Haha

@tomasino @adamd @gemlog

There's no shame in not knowing better.

Now that you now better, you can feel shamed. :flan_tongue:

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko