On Thu, Jul 29, 2010 at 10:24 AM, Manokaran K <[email protected]> wrote:
> But it is also suggested that ssh-agent (or keychain etc) is used to manage
> passphrases - so that one does not have the trouble of keying in a long
> passphrase everytime! I feel this defeats the very purpose of a passphrase!!
> A person getting hold of the ssh-agent config (or whatever file that holds
> the passphrase) file can just as easily access the servers!!
For this reason, ssh-agent will never save the passphrase in a config file.
You are forced to enter it manually whenever you start ssh-agent and add
keys. Once the keys are added, you can then use ssh repeatedly without
passwords.
The main security problem with ssh-agent is that it creates a unix domain
socket for communication with ssh. This file/socket is secured using standard
unix file permissions and hence root can access the ssh keys for any local user.
Suggest you read this article for a good understanding of ssh/ssh-agent
interaction:
http://unixwiz.net/techtips/ssh-agent-forwarding.html
- Raja
_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
