On Thu, Feb 16, 2006 at 09:06:48AM +0000, Chris Green wrote: > I use it from a work computer which is secure enough for me to simply > set up secure keys and allow passwordless login without using > ssh_agent. Since I stay logged on to my work computer all day using > ssh_agent would add nothing in the way of security. Presumably by "set up secure keys and allow passwordless login without using ssh_agent" you mean you've created keys with no passphrase. In practical terms, what you say is probably true; but there is a difference. Anyone who could access your computer (either physically, or reomotely through some exploit) could easily make a copy of your key, which is not encrypted. While an unencrypted copy of your key is available in your agent, the "attacker" would require a greater level of sophistication to get your key out of the process's memory than would be required to copy the file... In environments that require a high degree of security, using unencrypted keys (keys with no passphrase) is unwise. Even if you use ssh-agent (and hence an unencrypted copy of your key is laying around in memory), the extra security you get from using passphrases is small, but probably worthwhile. In such environments though, better still to not use ssh-agent... Of course, a compromise of the key you use to access your e-mail system is probably not the end of the world, unless it does a whole lot more than just send and receive your e-mail... -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail. Sorry for the inconvenience. Thank the spammers.
Attachment:
pgpzek0S7yLFM.pgp
Description: PGP signature