[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#112020: ITP: keychain -- An OpenSSH key manager

On Tue, Sep 11, 2001 at 03:00:44PM -0500, Cesar Mendoza wrote:
> Package: wnpp
> Severity: whishlist
             ^ typo
>  From the keychain help:
>  Keychain is an OpenSSH key manager, typically run from
>  ~/.bash_profile. When run, it will make sure ssh-agent is running;
>  if not, it will start ssh-agent. It will redirect ssh-agent's

I would prefer if this program weren't packaged for Debian. It
demonstrates cluelessness on the part of its author and encourages bad
security practice in two ways:

- ssh-agent running continuously 24/7 with valid keys
- ssh-agent running on the machines that you log into, rather than
  only on the machine you sit at

For Debian, under X ssh-agent is already running when the user logs
in, so you can access it from any number of X terminals. On the
console, if you want equivalent features, use RSA/DSA keys without a
pass phrase. KEYCHAIN IS NOT MORE SECURE THAN THAT. It is no problem
and tools exist to extract the keys from a running ssh-agent process.

I'd like to remind you that inappropriate use of ssh-agent has in the
past resulted in a hacker getting access to important servers. (IIRC
it was only mentioned on -private at the time, so no details.)

What's really needed is a little work on ssh-agent so that
- when ssh asks for a DSA passphrase, it also sends it to ssh-agent
- ssh-agent can expire keys after some time of inactivity



  __   _
  |_) /|  Richard Atterer     |  CS student at the Technische  |  GnuPG key:
  | \/¯|  http://atterer.net  |  Universität München, Germany  |  0x888354F7
  ¯ ´` ¯

Attachment: pgpqp28Rj4KnY.pgp
Description: PGP signature

Reply to: