Re: Bug#112020: ITP: keychain -- An OpenSSH key manager

To: debian-devel@lists.debian.org
Subject: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
From: Cesar Mendoza <mendoza@debian.org>
Date: Thu, 13 Sep 2001 09:44:06 -0500
Message-id: <[🔎] 20010913094406.A29828@tyka.kitiara.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010913064657.A24048@molehole.dyndns.org>
References: <[🔎] 20010911150043.A19658@tyka.kitiara.com> <[🔎] 20010912130511.B10879@atterer.net> <[🔎] 20010912190832.A25649@tyka.kitiara.com> <[🔎] 20010913064657.A24048@molehole.dyndns.org>

On Thu, Sep 13, 2001 at 06:46:57AM -0500, Steve Greenland wrote:
> On 12-Sep-01, 19:08 (CDT), Cesar Mendoza <mendoza@kitiara.org> wrote: 
> > 
> > I find the package useful and I'm also aware of the shortcomings of
> > ssh-agent, but was your solution to cron job's that do rsync over ssh?
> > and I don't think that pass phrase less keys is an option. 
> 
> Why not? Create a dedicated key for the job, and set the options on the
> key to minimize its functionality[1] to only that absolutely needed
> for the job (from="myhost.whatever", etc.). 

That is the setup I have (a especial key just for the cronjob, but since 
it is runing under my user name, I like to use ssh-agent to add my other 
keys, then delete them when the session is over), but I want the key to 
have passphrase, because the moment I shutdown ssh-agent everything is 
secure again, with the passphrase-less key you are insecure all the time 
no matter what until you add a passphrase again. For example if I reboot 
my machine I know that I'm secure until I start ssh-agent, with the 
other option you don't. 

>That, to my taste, seems a
> lot more secure than what keychain does. Admitted, that may be only my
> perception, but I doubt that it is an *less* secure.
> 
> >What you are doing is building a case against ssh-agent, keychain is
> >just a wrapper around it.
> 
> Ssh-agent can be used and abused. Keychain seems to encourage abuse. It
> adds an extra layer of things to go wrong.
>
> Steve

Yeah, but those that means that we are going to censor the package just
because it can be abused. I just wanted to include it on the distribution
because I had an script that did something similar and I though that
other people may be looking for something like that. 

Am I wrong? and we are going to censor packages just because you can 
shoot yourself on the foot. Do I have to add a disclaimer to the package? 
I expect that people that don't like it just don't use it.

Bye
Cesar Mendoza
http://WWW.kitiara.org
--
"Thank you for the latest release of gradewrecker. 
My GPA just went in the corner and shot itself."
 -- USENET posting refering to 
 	the latest release of NetHack, author unknown

Reply to:

Follow-Ups:
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Martijn van Oosterhout <kleptog@svana.org>

References:
- Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Cesar Mendoza <mendoza@debian.org>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Richard Atterer <deb-devel@list.atterer.net>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Cesar Mendoza <mendoza@kitiara.org>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Steve Greenland <stevegr@debian.org>

Prev by Date: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
Next by Date: Re: A language by any other name
Previous by thread: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
Next by thread: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
Index(es):
- Date
- Thread