[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Accounts on debian.org machines

* Matt Zimmerman 

| (Please follow up on a public list)

done, -devel has M-F-T set to.

| On Sun, Dec 07, 2003 at 06:26:48PM +0100, Tollef Fog Heen wrote:
| 
| > * Matt Zimmerman 
| >
| > | You would type a Debian password into a system that you do not trust
| > | with an ssh private key?
| > 
| > Yes, since I don't want to keep a key on them, since they are not
| > secure over time.  They are most likely secure when I'm sitting at the
| > console.  See above for an example: I don't trust that anything I put
| > permanently on the hard drive won't be compromised, however, I don't
| > think the box itself has any trojans or keysniffers installed.
| 
| This doesn't make sense to me; if the system is not trustworthy, then you
| should not trust it with any authentication data, whether passwords or ssh
| keys.

You are forgetting the temporal aspect here.  A machine may be viewed
as fairly safe when I have physical control of it.  That does not mean
that the machine is safe always, which is the case for, say my
father's windows 2000 laptop when it's only connected to a NAT-ed
internet connection.

-- 
Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 
                                                                        `-
Reply to: