Actually, an even better solution would be to set up public keys WITH a password, then simply use an "ssh-agent" to keep it in memory. That way, you can leave the processes to do
what deeds they will, and the keys are still protected with a password in the event they are
stolen.
On Nov 15, Jesse Rosenthal wrote:
> Whatever I do, though, I'll need to use pexpect to spawn the
> processes, since I'll need to log in to ssh servers with a password.
You might save yourself this effort by setting up ssh for
non-interactive use with keys instead of password authentication:
$ cd ~/.ssh
$ chmod 700 .
$ ssh-keygen -t rsa # just keep pressing <enter>
$ cp id_rsa.pub authorized_keys2
Re: Agent security (was Re: Secure file transfer from unix to windows) ... you also should not assume ssh-agent... other programs handling secret keys are trying to shorten the period ... of unprotected keys in memory, ssh-agent is attracting users to let it ... (comp.security.ssh)
Re: Apache Software Foundation Server compromised, resecured. (fwd) ... >> originating client hosting the first ssh-agent in a chain. ... >> forward your agent from trusted host A to untrusted host B, ... there is a sshd process on Host_B which is ... you used public keys and did not do agent forwarding, ... (FreeBSD-Security)
Re: Extreamly large Hashtable ... >>>I'm assuming that if it is in memory it will be faster then looking ... >>performance (unless it means that the keys' equals() and ...>>references to the objects, ... Even if the Map.Entry overhead is more ... (comp.lang.java.programmer)
Re: Agent security (was Re: Secure file transfer from unix to windows) ... > other programs handling secret keys are trying to shorten the period ... > of unprotected keys in memory, ssh-agent is attracting users to let ... The point is, though, that greater and greater security is not ... (comp.security.ssh)
Re: Encrypting passwords stored in memory ... > A recent security audit has raised the issue that these passwords... > can be seen if a memory dump of the process is taken or it is ... I've built systems with encryption keys... Instead use byte arrays, preferably multiple of them located in different ... (sci.crypt)
