On Wed, Sep 12, 2001 at 01:05:12PM +0200, Richard Atterer wrote: > On Tue, Sep 11, 2001 at 03:00:44PM -0500, Cesar Mendoza wrote: > > Package: wnpp > > Severity: whishlist > ^ typo I know and the ITP was reassigned to wishlist. > > From the keychain help: > > > > Keychain is an OpenSSH key manager, typically run from > > ~/.bash_profile. When run, it will make sure ssh-agent is running; > > if not, it will start ssh-agent. It will redirect ssh-agent's > > I would prefer if this program weren't packaged for Debian. It > demonstrates cluelessness on the part of its author and encourages bad > security practice in two ways: > > - ssh-agent running continuously 24/7 with valid keys > - ssh-agent running on the machines that you log into, rather than > only on the machine you sit at >
I find the package useful and I'm also aware of the shortcomings of ssh-agent, but was your solution to cron job's that do rsync over ssh? and I don't think that pass phrase less keys is an option. What you are doing is building a case against ssh-agent, keychain is just a wrapper around it. > For Debian, under X ssh-agent is already running when the user logs > in, so you can access it from any number of X terminals. On the > console, In my case I don't have X. > if you want equivalent features, use RSA/DSA keys without a > pass phrase. KEYCHAIN IS NOT MORE SECURE THAN THAT. It is no problem > and tools exist to extract the keys from a running ssh-agent process. Just because there are tools to open my house that doesn't means that I have to leave my house open. > > I'd like to remind you that inappropriate use of ssh-agent has in the > past resulted in a hacker getting access to important servers. (IIRC > it was only mentioned on -private at the time, so no details.) > I'm aware of that and the tool offers and option to ask for the passphrase every time you login if you decide to use it in your login script. For a better discussion on keychain please read: http://www-106.ibm.com/developerworks/library/l-keyc2/ and http://www.gentoo.org/projects/keychain.html > What's really needed is a little work on ssh-agent so that > - when ssh asks for a DSA passphrase, it also sends it to ssh-agent > - ssh-agent can expire keys after some time of inactivity > I know that but for now we have to work with what we have, don't you think? Bye Cesar Mendoza http://www.kitiara.org -- "A scientist once wrote that all truth passes through three stages: first it is ridiculed, then violently opposed and eventually, accepted as self-evident." -- Schopenhauer