These are not equivalent situations. If the machine is turned off, keychain's keys are removed from memory. The passphraseless key is still on disk. It's also significantly harder to get the key out of ssh-agent's memory than it is to read it off of disk. Keychain is inappropriate for many situations. One case where it fits perfectly is an ssh gateway machine: lots of people connecting to a single account, which has a key with access to a wide-spread network. They get transparent access, their access to the wide-spread network can be controlled at the choke-point of the gateway machine, and the widely deployed key can be rotated smoothly and transparently. Only a few highly trusted people know the passphrase. This is *significantly* better than the other alternatives: * Put their keys on the wide-spread network. Now you have a KMI nightmare. Hundreds of keys to protect, and rotating them is hard, slow, and unreliable. Tracking what's been rotated is even worse. * Put a passphraseless key on the gateway machine. People will copy it to their home machines, desktops, wireless windows laptops, and so on. It's more convenient and helps them do their jobs. * Tell everyone the passphrase. Same problem. -Brian Daniel Jacobowitz <dan@debian.org> writes: > On Wed, Sep 12, 2001 at 07:08:32PM -0500, Cesar Mendoza wrote: > > I find the package useful and I'm also aware of the shortcomings of >> ssh-agent, but was your solution to cron job's that do rsync over ssh? >> and I don't think that pass phrase less keys is an option. What you are >> doing is building a case against ssh-agent, keychain is just a wrapper >> around it. > > Keychain is functionaly equivalent to a passphraseless key, though. -- Brian Sniffen bts@akamai.com Security Engineer day: (617) 613-2642 cel: (617) 721-0927 Akamai Technologies eve: (781) 874-0699 pi: (314) 159-2654
Attachment:
pgp8Ir0nfvY4a.pgp
Description: PGP signature