info-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security question

From: Scott Moynes
Subject: Re: security question
Date: Mon, 16 Dec 2002 11:22:32 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2; MultiZilla v1.1.32 final) Gecko/20021130 
Zieg, Mark wrote:

My biggest problem with any of these approaches, besides the inconvenience,
is they eliminate the opportunity for secure, automated batch processes.  I
have various cron jobs that fire off automatically, connect to different
servers, do reports/extracts/whatever, and so on.  For that, AFAIK, you need
to store your keys in the filesystem.

Correct me if I'm wrong, but as long as your private key is chmod 600, the
only way it will be compromised is if your local workstation gets rooted.
If that happens, ssh-agent itself can be quickly trojaned with a compromised
copy that collects passwords.  Likewise, if you're just using
passphrase-encrypted keys, ssh and cvs themselves are both compromised on a
rooted box...so what's the difference?  Or am I missing something?
There's a tool called keychain [1] that acts as a frontend to ssh-add and ssh-agent. It will allow one to use password encrypted keys in crons as you suggest, and eliminates the hassle of adding your keys to your agent every session. YMMV. 


[1]: <http://www.gentoo.org/proj/en/keychain.xml> that
--
Scott Moynes
Canadian Bank Note Co. Ltd.
address@hidden
(613) 225-3018 x2272
reply via email to
[Prev in Thread] Current Thread [Next in Thread]