Am 13.09.2008 um 11:36 schrieb Stuart Henderson: > Not always. You might connect to another machine and connect > out again from there.
You could directly connect from your machine to the other machine. You might bring the argument that you can't get a direct connection, but for that purpose, SSH tunneling exists. > Of course there are some times ssh-agent is reasonably safe > and useful. There are other times it isn't. "RTFM first" - > you mean the one which says "This method is easily abused by > root or another instance of the same user"? Sorry, I assumed that you own the machine you ssh to and are root there. Sure, if it's not your machine, root could get a security issue. But root could also give you a version of ssh that has backdoors. So ssh-agent wouldn't be the concern. If I don't trust root, I wouldn't use that machine at all! And never even think about sshing from there to somewhere else! That RTFM first was about that you type the password locally and that ssh-agent exists. Sorry, your reply seemed like you didn't know how ssh and ssh-agent works. > There is also the case that in some jurisdictions you can be > required to hand over encryption keys. Some people might prefer > to use passwords instead of encrypted certificates when they > connect to certain hosts. I don't know a single country where you are forced to hand over keys, but not to hand over passwords -- Jonathan [demime 1.01d removed an attachment of type application/pgp-signature which had a name of PGP.sig]