AutoSSH provides the auto log on capability to OpenSSH's ssh program without you to give up passphrase protection for your private key. It is the best tool to enable the full potential of OpenSSH in an enviornment that needs both security and efficiency. With sophisticated protection mechanism built-in, using AutoSSH to automate ssh is more secure than using ssh-agent. And AutoSSH could even log down “who requested to run what commands on which server at what time”.
AutoSSH's assh program is very compatible with OpenSSH's ssh program, in most cases, you can just use assh where you would use ssh. For example:
tar cvf – important-files|assh user@bkup-server dd of=backup.tar
If you want to achieve the efficiency of ssh auto log on and also want to maintain good security, AutoSSH is the best choice for you: it's easy to use, and is the most secure way to automate ssh log on. Think about security risks using other ways:
Hostbased authentication: Host key has no passphrase protection, so anybody who can get the host key, can copy it to another machine and use it.
Manually key in the password or passphrase: users on your machine having your privilege or root privilege is able to use system call tracer to capture the password or passphrase when you type it.
Using ssh-agent: with source code freely available, it's not difficult for a person with the right privilege on your machine to use debugger to retrieve your unlocked private key from ssh-agent.
And no matter you use ssh-agent or manually
run ssh, they are all very vulnerable to Trojan horse attack. With Checksum
certificate protection, AutoSSH can automatically detect any changes to
ssh program, so can significantly reduce this kind of risk.
AutoSSH can significantly improve the productivity of system administrators. In an ISP environment, there could be tens and even hundreds of machines running same version of UNIX and/or Linux and with similar configuration. When some common changes need be applied to all of these machines, without an auto log on solution, this can be a very time consuming and boring job. Now, with SSH, you may think you already have a good solution: use public key authentication, and running ssh-agent, you can perform the tasks by preparing a script and run:
for server in `cat ServerList`
cat script|ssh root@$server
However, when you talk to your security officer, he/she may ask: how to make sure only approved commands will be executed on those machines? Can you provide an audit log that he/she can verify later that you only run the authorised commands on those authorised machines?
With AutoSSH, you can run
for server in `cat ServerList`
asshc root@server "`cat script`"
The asshc command will log down the contents contained in "script" file, together with the time the asshc starts to run, by which user (you), to which server and logging on as which user (root), and even at what time the process finished, and the exit code.
What if you run:
The asshc will refuse to run if you do not specify a command to run on the remote server, so to eliminate the risk that you accidently access to the command line on the remote server by running asshc.
However, you may still be able to access the command line by running:
asshc -t root@server sh
But when logging down the activity is the main reason that your site choose asshc, you will have no execuse if security officer finds it from the log.