keychain

Steven Michalske hardkrash at lunar-linux.org
Thu Jan 22 01:48:17 GMT 2004 

i have seen it, it looks interesting

i never implemented it because i setup my xservers at all of my locations to 
use ssh-agent at login, adding my keys, prompting for passwords when required

as i am mostly in x all the time at my machines, but yes once per login

although i though open access to all my keyed hosts would be bad if i was 
hacked :-P  (we lose security to gain convience)  i don't put passwords on 
keys i dont want secure, and i dont think that my ssh keys should be avalable 
whenever i have atleast one session open

a simular argument was made to a friend of mine that stored their keys in an 
encripted loopback partition for protection

although it provided no real protection, as if he was hacked while it was 
mounted his keys would be taken,

simular arguments can be made for keychain.  if your box is rooted, and the 
user su - to your username because he saw keychain installed and your user 
using it
he now in all probability has access to all your vital connected machines :-/
and he knows them as he has your ssh known hosts too, unless you use the clear 
option, but... now you have to still type in your password.

i guess the cron job ability is intruging, although i am missing why you would 
use keychain for a cron job,  i would rather have its own isolated ssh-agent 
with only the key it needed :-)  again security at mind id hate to let my 
cron job for lunar have access to say my server at work :-(

ill look at inclusion come this weekend if someone else hasen't included it

with this in mind i think ill document and throw some more conservitive 
scripts together ( the ones im using now )

hardkrash

as from gentoo, hell they are good devs i hold no gruges:-P

nb i think that it is a misuse of secure keys vs unsecure keys,  some 
interesting uses in there though my overall recomentation is to only use it 
on securly firewalled and patched machines :-P that you know are going to be 
fairly safe, i will set in the (not shooting toes off options for the sctipt 
though,  clear=yes




On Wednesday 21 January 2004 11:41 pm, Dave Brown wrote:
> Something else for the moonbase.  keychain is an incredibly handy
> ssh key manager, and I'm surprised it isn't in the moonbase, even if
> it does come from the folks at...that other source-based distro. :-)
>
> --Dave

More information about the Lunar mailing list