[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#112020: ITP: keychain -- An OpenSSH key manager



On Wed, Sep 12, 2001 at 11:06:30PM -0400, Daniel Jacobowitz wrote:
> Keychain is functionaly equivalent to a passphraseless key, though.

Exactly my point! The only additional thing you get with keychain is a
false sense of security.


On Wed, Sep 12, 2001 at 07:08:32PM -0500, Cesar Mendoza wrote:
> I find the package useful and I'm also aware of the shortcomings of
> ssh-agent, but was your solution to cron job's that do rsync over
> ssh?

SSH keys without a passphrase! :-/ Not that I like the idea, but you
have to realize that keychain buys you absolutely nothing!

> and I don't think that pass phrase less keys is an option.

Sorry, but I can't understand why you think keychain is more secure.

> > What's really needed is a little work on ssh-agent so that
> > - when ssh asks for a DSA passphrase, it also sends it to ssh-agent
> > - ssh-agent can expire keys after some time of inactivity
> > 
> I know that but for now we have to work with what we have, don't you
> think?

Indeed.

You might want to experiment with the following: Create a dedicated
user on the machine that you log into, whose default shell is not
/bin/sh, but a script of yours which executes rsync with the right
options, no matter what arguments are passed to it. Also, the user
should not be able to write to any files in his home directory.

This way, even if the key is compromised, it will be difficult for the
attacker to do anything but run that one command. This doesn't provide
an awful lot of security, and a determined attacker might find a way
to circumvent it, but it's already a lot better than a completely open
account.

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer     |  CS student at the Technische  |  GnuPG key:
  | \/¯|  http://atterer.net  |  Universität München, Germany  |  0x888354F7
  ¯ ´` ¯

Attachment: pgpdBaUJdVZBh.pgp
Description: PGP signature


Reply to: