[Gllug] ssh authentification

Tethys sta296 at astradyne.co.uk
Wed Jul 19 00:26:50 UTC 2006

Joel Bernstein writes:

>Frighteningly, you can remove the passphrase on a SSL private key.
>Stupid apache admins who don't know about "apachectl -k graceful" do
>that so they can have unattended restarts of apache mod_ssl.

There's nothing stupid about it at all. You have a choice. Either
you require human interaction to start the server, or you don't. If
you choose the latter, then you basically have to use passphraseless
private keys (unless you go for a hardware solution, but that's not
practical in most cases). You're trading off security for availability.
Where you lie on that spectrum determines which strategy you use.

Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list