[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#112020: ITP: keychain -- An OpenSSH key manager

On Wed, Sep 12, 2001 at 01:05:12PM +0200, Richard Atterer wrote:
> On Tue, Sep 11, 2001 at 03:00:44PM -0500, Cesar Mendoza wrote:
> > Package: wnpp
> > Severity: whishlist
>              ^ typo
I know and the ITP was reassigned to wishlist.
> >  From the keychain help:
> > 
> >  Keychain is an OpenSSH key manager, typically run from
> >  ~/.bash_profile. When run, it will make sure ssh-agent is running;
> >  if not, it will start ssh-agent. It will redirect ssh-agent's
> I would prefer if this program weren't packaged for Debian. It
> demonstrates cluelessness on the part of its author and encourages bad
> security practice in two ways:
> - ssh-agent running continuously 24/7 with valid keys
> - ssh-agent running on the machines that you log into, rather than
>   only on the machine you sit at

I find the package useful and I'm also aware of the shortcomings of
ssh-agent, but was your solution to cron job's that do rsync over ssh?
and I don't think that pass phrase less keys is an option. What you are
doing is building a case against ssh-agent, keychain is just a wrapper
around it.
> For Debian, under X ssh-agent is already running when the user logs
> in, so you can access it from any number of X terminals. On the
> console, 
In my case I don't have X.
> if you want equivalent features, use RSA/DSA keys without a
> pass phrase. KEYCHAIN IS NOT MORE SECURE THAN THAT. It is no problem
> and tools exist to extract the keys from a running ssh-agent process.

Just because there are tools to open my house that doesn't means 
that I have to leave my house open.

> I'd like to remind you that inappropriate use of ssh-agent has in the
> past resulted in a hacker getting access to important servers. (IIRC
> it was only mentioned on -private at the time, so no details.)

I'm aware of that and the tool offers and option to ask for the
passphrase every time you login if you decide to use it in your login
script. For a better discussion on keychain please read:

> What's really needed is a little work on ssh-agent so that
> - when ssh asks for a DSA passphrase, it also sends it to ssh-agent
> - ssh-agent can expire keys after some time of inactivity
I know that but for now we have to work with what we have, don't you

Cesar Mendoza
"A scientist once wrote that all truth passes through three stages:
first it is ridiculed, then violently opposed and eventually, 
accepted as self-evident."
 -- Schopenhauer

Reply to: