On Thu, Sep 13, 2001 at 01:00:11PM -0400, Brian Sniffen wrote: > > These are not equivalent situations. If the machine is turned off, > keychain's keys are removed from memory. The passphraseless key is > still on disk. It's also significantly harder to get the key out of > ssh-agent's memory than it is to read it off of disk. > > Keychain is inappropriate for many situations. One case where it fits > perfectly is an ssh gateway machine: lots of people connecting to a > single account, which has a key with access to a wide-spread network. > They get transparent access, their access to the wide-spread network > can be controlled at the choke-point of the gateway machine, and the > widely deployed key can be rotated smoothly and transparently. Only a > few highly trusted people know the passphrase. > > This is *significantly* better than the other alternatives: > > * Put their keys on the wide-spread network. Now you have a KMI > nightmare. Hundreds of keys to protect, and rotating them is > hard, slow, and unreliable. Tracking what's been rotated is even worse. > > * Put a passphraseless key on the gateway machine. People will copy > it to their home machines, desktops, wireless windows laptops, and > so on. It's more convenient and helps them do their jobs. > > * Tell everyone the passphrase. Same problem.
Keychain runs as the user who owns the key, generally. This is equivalent to giving all your users the passphrase. Recovering it with a debugger is a trivial exercise for the reader. -- Daniel Jacobowitz Carnegie Mellon University MontaVista Software Debian GNU/Linux Developer