info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: security question


From: Zieg, Mark
Subject: RE: security question
Date: Mon, 16 Dec 2002 09:37:55 -0500

> Password-protected keys help protect them against
> theft.  I would encourage everyone to use such keys. 
> Or did I misunderstand your post?

Are you talking about ssh-agent, or passphrase-based ssh keys, or an
external layer of encryption on the keyfiles, or what?  Please be specific.

ssh-agent, for instance, would be a bit more secure, as long as you're
sitting down at the console of one SSH-equipped workstation, and don't mind
taking a minute to systematically startup ssh-agent connections to each host
with which you plan to communicate during that session.

My biggest problem with any of these approaches, besides the inconvenience,
is they eliminate the opportunity for secure, automated batch processes.  I
have various cron jobs that fire off automatically, connect to different
servers, do reports/extracts/whatever, and so on.  For that, AFAIK, you need
to store your keys in the filesystem.

Correct me if I'm wrong, but as long as your private key is chmod 600, the
only way it will be compromised is if your local workstation gets rooted.
If that happens, ssh-agent itself can be quickly trojaned with a compromised
copy that collects passwords.  Likewise, if you're just using
passphrase-encrypted keys, ssh and cvs themselves are both compromised on a
rooted box...so what's the difference?  Or am I missing something?

Thanks...this is more interesting than listening in on pserver discussions
:-)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]