Re: Bug#756172: ITP: ssh-cron -- cron-like job scheduler that handles ssh key passphrases

To: debian-devel <debian-devel@lists.debian.org>
Subject: Re: Bug#756172: ITP: ssh-cron -- cron-like job scheduler that handles ssh key passphrases
From: Clint Byrum <spamaps@debian.org>
Date: Thu, 31 Jul 2014 17:49:27 -0700
Message-id: <[🔎] 1406854078-sup-3585@fewbar.com>
In-reply-to: <87ppglmbor.wl%jeroen@dekkers.ch>
References: <20140727040536.GA17911@boson> <E1XBKED-0001lY-DW@swivel.zugschlus.de> <53D51D53.7050501@debian.org> <53D9D177.5070604@debian.org> <87ppglmbor.wl%jeroen@dekkers.ch>

Excerpts from Jeroen Dekkers's message of 2014-07-31 14:59:48 -0700:
> At Wed, 30 Jul 2014 22:17:43 -0700,
> tony mancill wrote:
> > I contacted the upstream author (on the cc: - hi Frank), and his concern
> > with the passphraseless key trigger mechanism is precisely that you
> > don't have a passphrase.  The key is unprotected and subject to
> > theft/unauthorized use.  This could potentially occur on the system that
> > is (normally) the legitimate source of the trigger.
> 
> But ssh-cron will need to have the passphrase to be able to use the
> key, so someone who can steal the key from ssh-cron can also steal the
> passphrase from ssh-cron. What is the added security benefit of
> storing a key and passphrase instead of a passphraseless key?
> 

Agreed.. or just using ssh-agent to hold the decrypted key in RAM and
letting CRON talk to it via a well protected socket.

Reply to:

Prev by Date: Work-needing packages report for Aug 1, 2014
Next by Date: Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
Previous by thread: Work-needing packages report for Aug 1, 2014
Next by thread: Re: Bug#756172: ITP: ssh-cron -- cron-like job scheduler that handles ssh key passphrases
Index(es):
- Date
- Thread