[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#112020: ITP: keychain -- An OpenSSH key manager

On Thu, Sep 13, 2001 at 06:46:57AM -0500, Steve Greenland wrote:
> On 12-Sep-01, 19:08 (CDT), Cesar Mendoza <mendoza@kitiara.org> wrote: 
> > 
> > I find the package useful and I'm also aware of the shortcomings of
> > ssh-agent, but was your solution to cron job's that do rsync over ssh?
> > and I don't think that pass phrase less keys is an option. 
> Why not? Create a dedicated key for the job, and set the options on the
> key to minimize its functionality[1] to only that absolutely needed
> for the job (from="myhost.whatever", etc.). 

That is the setup I have (a especial key just for the cronjob, but since 
it is runing under my user name, I like to use ssh-agent to add my other 
keys, then delete them when the session is over), but I want the key to 
have passphrase, because the moment I shutdown ssh-agent everything is 
secure again, with the passphrase-less key you are insecure all the time 
no matter what until you add a passphrase again. For example if I reboot 
my machine I know that I'm secure until I start ssh-agent, with the 
other option you don't. 

>That, to my taste, seems a
> lot more secure than what keychain does. Admitted, that may be only my
> perception, but I doubt that it is an *less* secure.
> >What you are doing is building a case against ssh-agent, keychain is
> >just a wrapper around it.
> Ssh-agent can be used and abused. Keychain seems to encourage abuse. It
> adds an extra layer of things to go wrong.
> Steve

Yeah, but those that means that we are going to censor the package just
because it can be abused. I just wanted to include it on the distribution
because I had an script that did something similar and I though that
other people may be looking for something like that. 

Am I wrong? and we are going to censor packages just because you can 
shoot yourself on the foot. Do I have to add a disclaimer to the package? 
I expect that people that don't like it just don't use it.

Cesar Mendoza
"Thank you for the latest release of gradewrecker. 
My GPA just went in the corner and shot itself."
 -- USENET posting refering to 
 	the latest release of NetHack, author unknown 

Reply to: