Re: Bug#112020: ITP: keychain -- An OpenSSH key manager

To: debian-devel@lists.debian.org
Subject: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
From: Daniel Jacobowitz <dan@debian.org>
Date: Fri, 14 Sep 2001 01:16:56 -0400
Message-id: <[🔎] 20010914011656.A3329@nevyn.them.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] jvpwv339gbo.fsf@grecotha.kendall.akamai.com>; from bts@akamai.com on Thu, Sep 13, 2001 at 01:00:11PM -0400
References: <[🔎] 20010911150043.A19658@tyka.kitiara.com> <[🔎] 20010912130511.B10879@atterer.net> <[🔎] 20010912190832.A25649@tyka.kitiara.com> <[🔎] 20010912230630.A31044@nevyn.them.org> <[🔎] jvpwv339gbo.fsf@grecotha.kendall.akamai.com>

On Thu, Sep 13, 2001 at 01:00:11PM -0400, Brian Sniffen wrote:
> 
> These are not equivalent situations.  If the machine is turned off,
> keychain's keys are removed from memory.  The passphraseless key is
> still on disk.  It's also significantly harder to get the key out of
> ssh-agent's memory than it is to read it off of disk.
> 
> Keychain is inappropriate for many situations.  One case where it fits
> perfectly is an ssh gateway machine:  lots of people connecting to a
> single account, which has a key with access to a wide-spread network.
> They get transparent access, their access to the wide-spread network
> can be controlled at the choke-point of the gateway machine, and the 
> widely deployed key can be rotated smoothly and transparently.  Only a
> few highly trusted people know the passphrase.
> 
> This is *significantly* better than the other alternatives:
> 
> * Put their keys on the wide-spread network.  Now you have a KMI
>   nightmare.  Hundreds of keys to protect, and rotating them is
>   hard, slow, and unreliable.  Tracking what's been rotated is even worse.
> 
> * Put a passphraseless key on the gateway machine.  People will copy
>   it to their home machines, desktops, wireless windows laptops, and
>   so on.  It's more convenient and helps them do their jobs.
> 
> * Tell everyone the passphrase.  Same problem.

Keychain runs as the user who owns the key, generally.  This is
equivalent to giving all your users the passphrase.  Recovering it with
a debugger is a trivial exercise for the reader.

-- 
Daniel Jacobowitz                           Carnegie Mellon University
MontaVista Software                         Debian GNU/Linux Developer

Reply to:

References:
- Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Cesar Mendoza <mendoza@debian.org>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Richard Atterer <deb-devel@list.atterer.net>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Cesar Mendoza <mendoza@kitiara.org>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Daniel Jacobowitz <dan@debian.org>
- Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
  - From: Brian Sniffen <bts@akamai.com>

Prev by Date: Re: mirror-operators please help
Next by Date: Re: proposal for an Apache (web server) task force
Previous by thread: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
Next by thread: Re: Bug#112020: ITP: keychain -- An OpenSSH key manager
Index(es):
- Date
- Thread