On 2013-05-02 06:36, Tim wrote:
On Wednesday, May 1, 2013 8:35:18 PM UTC+1, Matthew Woehlke wrote:
On 2013-05-01 07:23, Tim wrote:
Review Board won't handle password protected private keys. If
you entered a passphrase when generating the key then I found
ReviewBoard can't handle  it.

Well... yeah. Where would RB store the pass-phrase? :-)

Same place it's stores all the other passwords? Admittedly, this is a
feature that imho is missing.

The problem is that the SSH pass-phrase must be stored in a way that access to the stored data is sufficient to unlock the key. As such, the most benefit you get over a key without a pass-phrase is (maybe) the ability to store the pass-phrase in a different disk location from the SSH key.

As that seems to me to be of only marginal benefit, this is probably why pass-phrase protected keys are not supported; there is not enough benefit to warrant the feature.

...or do you know something I don't why this would be valuable?

If by 'other passwords' you're thinking about user login passwords, keep in mind that these are more like storing *public* keys; it is relatively safe for them to be exposed because they are only useful for verifying user-supplied private keys (i.e. the user's password), and cannot be used themselves to gain access to any resources.

Basically, any token that can be used to gain access to a resource (e.g. an SSH private key, password for a remote web service) can only be protected by restricting physical access to the token. That means either file permissions, or never storing the token on the machine in the first place (e.g. passwords). The latter case can only be achieved with SSH keys by requiring interactive unlocking. If you require that RB can use the token without manual interaction, then there is no significant advantage to storing the token in two pieces (pass-phrase protected key plus pass-phrase) versus one piece (unprotected key).

If you *really* need secure tokens, then I think your only option is to manually start the server from within an ssh-agent that has been initialized with your manually-unlocked keys.


Want to help the Review Board project? Donate today at 
Happy user? Let us know at http://www.reviewboard.org/users/
To unsubscribe from this group, send email to 
For more options, visit this group at 
--- You received this message because you are subscribed to the Google Groups "reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to