Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
On Thu, Sep 13, 2001 at 06:46:57AM -0500, Steve Greenland wrote:
> On 12-Sep-01, 19:08 (CDT), Cesar Mendoza <email@example.com> wrote:
> > I find the package useful and I'm also aware of the shortcomings of
> > ssh-agent, but was your solution to cron job's that do rsync over ssh?
> > and I don't think that pass phrase less keys is an option.
> Why not? Create a dedicated key for the job, and set the options on the
> key to minimize its functionality to only that absolutely needed
> for the job (from="myhost.whatever", etc.).
That is the setup I have (a especial key just for the cronjob, but since
it is runing under my user name, I like to use ssh-agent to add my other
keys, then delete them when the session is over), but I want the key to
have passphrase, because the moment I shutdown ssh-agent everything is
secure again, with the passphrase-less key you are insecure all the time
no matter what until you add a passphrase again. For example if I reboot
my machine I know that I'm secure until I start ssh-agent, with the
other option you don't.
>That, to my taste, seems a
> lot more secure than what keychain does. Admitted, that may be only my
> perception, but I doubt that it is an *less* secure.
> >What you are doing is building a case against ssh-agent, keychain is
> >just a wrapper around it.
> Ssh-agent can be used and abused. Keychain seems to encourage abuse. It
> adds an extra layer of things to go wrong.
Yeah, but those that means that we are going to censor the package just
because it can be abused. I just wanted to include it on the distribution
because I had an script that did something similar and I though that
other people may be looking for something like that.
Am I wrong? and we are going to censor packages just because you can
shoot yourself on the foot. Do I have to add a disclaimer to the package?
I expect that people that don't like it just don't use it.
"Thank you for the latest release of gradewrecker.
My GPA just went in the corner and shot itself."
-- USENET posting refering to
the latest release of NetHack, author unknown