Mark Hahn
Mon, 21 Jul 2008 06:43:37 -0700
Here is a link for the keychain script I mentioned earlier: http://www.ibm.com/developerworks/library/l-keyc2/
I've used ssh and ssh-agent for a long time, and don't really see muchvalue to thsi keychain thing. the main premise seems to be that you want to leave your ssh-agent running even after logout. I find this kind of strange. the article mentions as desirable that by leaving ssh-agent running with keys and stashing its parameters in .ssh-agent,
things like your cron jobs can act as you.I don't see this as a significant advantage - if I want unattended jobs to do ssh authentication, I do it with a dedicated, unencrypted
key (which on the target machine can _only_ perform the desired function using the command= syntax, preferably also with the from= constrain.) yes, that means that someone could steal the private key and perform the function. leaving ssh-agent running with keys means that any compromise, even just of the user-level account, now _owns_ the account,locally and remotely. I prefer to run ssh-agent as part of my X session - processes inherit the SSH_AUTH_SOCK parameter in their environment, and ssh-agent goes away when I logout. I've been thinking about tweaking ssh-agent so that keys timeout when idle (ssh-add _can_ already provide a TTL, but I'd like ssh-agent to forget my keys after a period of unuse.) it's also tempting to see
whether the kernel's keyring feature might be useful in handlingssh keys - I think it would remove the need for a process (and worrying about $SSH_AUTH_SOCK), but wouldn't actually add any additional
safety. regards, mark hahn. _______________________________________________ Beowulf mailing list, Beowulf@beowulf.org To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf