Re: Bug#756172: ITP: ssh-cron -- cron-like job scheduler that handles ssh key passphrases
- To: debian-devel <firstname.lastname@example.org>
- Subject: Re: Bug#756172: ITP: ssh-cron -- cron-like job scheduler that handles ssh key passphrases
- From: Clint Byrum <email@example.com>
- Date: Thu, 31 Jul 2014 17:49:27 -0700
- Message-id: <[🔎] firstname.lastname@example.org>
- In-reply-to: <email@example.com>
- References: <20140727040536.GA17911@boson> <E1XBKED-0001lY-DW@swivel.zugschlus.de> <53D51D53.firstname.lastname@example.org> <53D9D177.email@example.com> <firstname.lastname@example.org>
Excerpts from Jeroen Dekkers's message of 2014-07-31 14:59:48 -0700:
> At Wed, 30 Jul 2014 22:17:43 -0700,
> tony mancill wrote:
> > I contacted the upstream author (on the cc: - hi Frank), and his concern
> > with the passphraseless key trigger mechanism is precisely that you
> > don't have a passphrase. The key is unprotected and subject to
> > theft/unauthorized use. This could potentially occur on the system that
> > is (normally) the legitimate source of the trigger.
> But ssh-cron will need to have the passphrase to be able to use the
> key, so someone who can steal the key from ssh-cron can also steal the
> passphrase from ssh-cron. What is the added security benefit of
> storing a key and passphrase instead of a passphraseless key?
Agreed.. or just using ssh-agent to hold the decrypted key in RAM and
letting CRON talk to it via a well protected socket.