On Tue, Sep 11, 2001 at 03:00:44PM -0500, Cesar Mendoza wrote:
> Package: wnpp
> Severity: whishlist
^ typo
> From the keychain help:
>
> Keychain is an OpenSSH key manager, typically run from
> ~/.bash_profile. When run, it will make sure ssh-agent is running;
> if not, it will start ssh-agent. It will redirect ssh-agent'sI would prefer if this program weren't packaged for Debian. It demonstrates cluelessness on the part of its author and encourages bad security practice in two ways: - ssh-agent running continuously 24/7 with valid keys - ssh-agent running on the machines that you log into, rather than only on the machine you sit at For Debian, under X ssh-agent is already running when the user logs in, so you can access it from any number of X terminals. On the console, if you want equivalent features, use RSA/DSA keys without a pass phrase. KEYCHAIN IS NOT MORE SECURE THAN THAT. It is no problem and tools exist to extract the keys from a running ssh-agent process. I'd like to remind you that inappropriate use of ssh-agent has in the past resulted in a hacker getting access to important servers. (IIRC it was only mentioned on -private at the time, so no details.) What's really needed is a little work on ssh-agent so that - when ssh asks for a DSA passphrase, it also sends it to ssh-agent - ssh-agent can expire keys after some time of inactivity Cheers, Richard -- __ _ |_) /| Richard Atterer | CS student at the Technische | GnuPG key: | \/¯| http://atterer.net | Universität München, Germany | 0x888354F7 ¯ ´` ¯
pgpfDn9bseiX4.pgp
Description: PGP signature
