[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#756172: ITP: ssh-cron -- cron-like job scheduler that handles ssh key passphrases

Excerpts from Jeroen Dekkers's message of 2014-07-31 14:59:48 -0700:
> At Wed, 30 Jul 2014 22:17:43 -0700,
> tony mancill wrote:
> > I contacted the upstream author (on the cc: - hi Frank), and his concern
> > with the passphraseless key trigger mechanism is precisely that you
> > don't have a passphrase.  The key is unprotected and subject to
> > theft/unauthorized use.  This could potentially occur on the system that
> > is (normally) the legitimate source of the trigger.
> But ssh-cron will need to have the passphrase to be able to use the
> key, so someone who can steal the key from ssh-cron can also steal the
> passphrase from ssh-cron. What is the added security benefit of
> storing a key and passphrase instead of a passphraseless key?

Agreed.. or just using ssh-agent to hold the decrypted key in RAM and
letting CRON talk to it via a well protected socket.

Reply to: