Re: Bug#756172: ITP: ssh-cron -- cron-like job scheduler that handles ssh key passphrases
- To: debian-devel <debian-devel@lists.debian.org>
- Subject: Re: Bug#756172: ITP: ssh-cron -- cron-like job scheduler that handles ssh key passphrases
- From: Clint Byrum <spamaps@debian.org>
- Date: Thu, 31 Jul 2014 17:49:27 -0700
- Message-id: <[🔎] 1406854078-sup-3585@fewbar.com>
- In-reply-to: <87ppglmbor.wl%jeroen@dekkers.ch>
- References: <20140727040536.GA17911@boson> <E1XBKED-0001lY-DW@swivel.zugschlus.de> <53D51D53.7050501@debian.org> <53D9D177.5070604@debian.org> <87ppglmbor.wl%jeroen@dekkers.ch>
Excerpts from Jeroen Dekkers's message of 2014-07-31 14:59:48 -0700:
> At Wed, 30 Jul 2014 22:17:43 -0700,
> tony mancill wrote:
> > I contacted the upstream author (on the cc: - hi Frank), and his concern
> > with the passphraseless key trigger mechanism is precisely that you
> > don't have a passphrase. The key is unprotected and subject to
> > theft/unauthorized use. This could potentially occur on the system that
> > is (normally) the legitimate source of the trigger.
>
> But ssh-cron will need to have the passphrase to be able to use the
> key, so someone who can steal the key from ssh-cron can also steal the
> passphrase from ssh-cron. What is the added security benefit of
> storing a key and passphrase instead of a passphraseless key?
>
Agreed.. or just using ssh-agent to hold the decrypted key in RAM and
letting CRON talk to it via a well protected socket.
Reply to: