On 2013-05-02 06:36, Tim wrote:
On Wednesday, May 1, 2013 8:35:18 PM UTC+1, Matthew Woehlke wrote:
On 2013-05-01 07:23, Tim wrote:
Review Board won't handle password protected private keys. If
you entered a passphrase when generating the key then I found
ReviewBoard can't handle it.
Well... yeah. Where would RB store the pass-phrase? :-)
Same place it's stores all the other passwords? Admittedly, this is a
feature that imho is missing.
The problem is that the SSH pass-phrase must be stored in a way that
access to the stored data is sufficient to unlock the key. As such, the
most benefit you get over a key without a pass-phrase is (maybe) the
ability to store the pass-phrase in a different disk location from the
SSH key.
As that seems to me to be of only marginal benefit, this is probably why
pass-phrase protected keys are not supported; there is not enough
benefit to warrant the feature.
...or do you know something I don't why this would be valuable?
If by 'other passwords' you're thinking about user login passwords, keep
in mind that these are more like storing *public* keys; it is relatively
safe for them to be exposed because they are only useful for verifying
user-supplied private keys (i.e. the user's password), and cannot be
used themselves to gain access to any resources.
Basically, any token that can be used to gain access to a resource (e.g.
an SSH private key, password for a remote web service) can only be
protected by restricting physical access to the token. That means either
file permissions, or never storing the token on the machine in the first
place (e.g. passwords). The latter case can only be achieved with SSH
keys by requiring interactive unlocking. If you require that RB can use
the token without manual interaction, then there is no significant
advantage to storing the token in two pieces (pass-phrase protected key
plus pass-phrase) versus one piece (unprotected key).
If you *really* need secure tokens, then I think your only option is to
manually start the server from within an ssh-agent that has been
initialized with your manually-unlocked keys.
--
Matthew
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
---
You received this message because you are subscribed to the Google Groups "reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
