Re: Bug#112020: ITP: keychain -- An OpenSSH key manager

To: Richard Atterer <deb-devel@list.atterer.net>
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
From: Cesar Mendoza <mendoza@kitiara.org>
Date: Wed, 12 Sep 2001 19:08:32 -0500
Message-id: <[🔎] 20010912190832.A25649@tyka.kitiara.com>
Mail-followup-to: Richard Atterer <deb-devel@list.atterer.net>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010912130511.B10879@atterer.net>
References: <[🔎] 20010911150043.A19658@tyka.kitiara.com> <[🔎] 20010912130511.B10879@atterer.net>

On Wed, Sep 12, 2001 at 01:05:12PM +0200, Richard Atterer wrote:
> On Tue, Sep 11, 2001 at 03:00:44PM -0500, Cesar Mendoza wrote:
> > Package: wnpp
> > Severity: whishlist
>              ^ typo
I know and the ITP was reassigned to wishlist.
> >  From the keychain help:
> > 
> >  Keychain is an OpenSSH key manager, typically run from
> >  ~/.bash_profile. When run, it will make sure ssh-agent is running;
> >  if not, it will start ssh-agent. It will redirect ssh-agent's
> 
> I would prefer if this program weren't packaged for Debian. It
> demonstrates cluelessness on the part of its author and encourages bad
> security practice in two ways:
>
> - ssh-agent running continuously 24/7 with valid keys
> - ssh-agent running on the machines that you log into, rather than
>   only on the machine you sit at
> 

I find the package useful and I'm also aware of the shortcomings of
ssh-agent, but was your solution to cron job's that do rsync over ssh?
and I don't think that pass phrase less keys is an option. What you are
doing is building a case against ssh-agent, keychain is just a wrapper
around it.
> For Debian, under X ssh-agent is already running when the user logs
> in, so you can access it from any number of X terminals. On the
> console, 
In my case I don't have X.
> if you want equivalent features, use RSA/DSA keys without a
> pass phrase. KEYCHAIN IS NOT MORE SECURE THAN THAT. It is no problem
> and tools exist to extract the keys from a running ssh-agent process.

Just because there are tools to open my house that doesn't means 
that I have to leave my house open.

> 
> I'd like to remind you that inappropriate use of ssh-agent has in the
> past resulted in a hacker getting access to important servers. (IIRC
> it was only mentioned on -private at the time, so no details.)
>

I'm aware of that and the tool offers and option to ask for the
passphrase every time you login if you decide to use it in your login
script. For a better discussion on keychain please read:
http://www-106.ibm.com/developerworks/library/l-keyc2/
and
http://www.gentoo.org/projects/keychain.html

> What's really needed is a little work on ssh-agent so that
> - when ssh asks for a DSA passphrase, it also sends it to ssh-agent
> - ssh-agent can expire keys after some time of inactivity
> 
I know that but for now we have to work with what we have, don't you
think?

Bye
Cesar Mendoza
http://www.kitiara.org
--
"A scientist once wrote that all truth passes through three stages:
first it is ridiculed, then violently opposed and eventually, 
accepted as self-evident."
 -- Schopenhauer

Reply to:

Follow-Ups:
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: jake@lucidpark.net (Jacob Kuntz)
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Daniel Jacobowitz <dan@debian.org>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Steve Greenland <stevegr@debian.org>

References:
- Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Cesar Mendoza <mendoza@debian.org>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Richard Atterer <deb-devel@list.atterer.net>

Prev by Date: Re: System spec.'s
Next by Date: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
Previous by thread: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
Next by thread: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
Index(es):
- Date
- Thread