Excerpts from Jeroen Dekkers's message of 2014-07-31 14:59:48 -0700: > At Wed, 30 Jul 2014 22:17:43 -0700, > tony mancill wrote: > > I contacted the upstream author (on the cc: - hi Frank), and his concern > > with the passphraseless key trigger mechanism is precisely that you > > don't have a passphrase. The key is unprotected and subject to > > theft/unauthorized use. This could potentially occur on the system that > > is (normally) the legitimate source of the trigger. > > But ssh-cron will need to have the passphrase to be able to use the > key, so someone who can steal the key from ssh-cron can also steal the > passphrase from ssh-cron. What is the added security benefit of > storing a key and passphrase instead of a passphraseless key? >
Agreed.. or just using ssh-agent to hold the decrypted key in RAM and letting CRON talk to it via a well protected socket. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1406854078-sup-3...@fewbar.com