[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#112020: ITP: keychain -- An OpenSSH key manager



These are not equivalent situations.  If the machine is turned off,
keychain's keys are removed from memory.  The passphraseless key is
still on disk.  It's also significantly harder to get the key out of
ssh-agent's memory than it is to read it off of disk.

Keychain is inappropriate for many situations.  One case where it fits
perfectly is an ssh gateway machine:  lots of people connecting to a
single account, which has a key with access to a wide-spread network.
They get transparent access, their access to the wide-spread network
can be controlled at the choke-point of the gateway machine, and the 
widely deployed key can be rotated smoothly and transparently.  Only a
few highly trusted people know the passphrase.

This is *significantly* better than the other alternatives:

* Put their keys on the wide-spread network.  Now you have a KMI
  nightmare.  Hundreds of keys to protect, and rotating them is
  hard, slow, and unreliable.  Tracking what's been rotated is even worse.

* Put a passphraseless key on the gateway machine.  People will copy
  it to their home machines, desktops, wireless windows laptops, and
  so on.  It's more convenient and helps them do their jobs.

* Tell everyone the passphrase.  Same problem.

-Brian

Daniel Jacobowitz <dan@debian.org> writes:

> On Wed, Sep 12, 2001 at 07:08:32PM -0500, Cesar Mendoza wrote:
> > I find the package useful and I'm also aware of the shortcomings of
>> ssh-agent, but was your solution to cron job's that do rsync over ssh?
>> and I don't think that pass phrase less keys is an option. What you are
>> doing is building a case against ssh-agent, keychain is just a wrapper
>> around it.
>
> Keychain is functionaly equivalent to a passphraseless key, though.
-- 
Brian Sniffen                                         bts@akamai.com
Security Engineer         day: (617) 613-2642    cel: (617) 721-0927
Akamai Technologies       eve: (781) 874-0699     pi: (314) 159-2654 

Attachment: pgppjwTYUW2kM.pgp
Description: PGP signature


Reply to: