On Thu, Feb 16, 2006 at 09:06:48AM +0000, Chris Green wrote:
I use it from a work computer which is secure enough for me to simply
set up secure keys and allow passwordless login without using
ssh_agent. Since I stay logged on to my work computer all day using
ssh_agent would add nothing in the way of security.
Presumably by "set up secure keys and allow passwordless login without
using ssh_agent" you mean you've created keys with no passphrase.
In practical terms, what you say is probably true; but there is a
difference. Anyone who could access your computer (either physically,
or reomotely through some exploit) could easily make a copy of your
key, which is not encrypted. While an unencrypted copy of your key is
available in your agent, the "attacker" would require a greater level
of sophistication to get your key out of the process's memory than
would be required to copy the file...
In environments that require a high degree of security, using
unencrypted keys (keys with no passphrase) is unwise. Even if you use
ssh-agent (and hence an unencrypted copy of your key is laying around
in memory), the extra security you get from using passphrases is
small, but probably worthwhile. In such environments though, better
still to not use ssh-agent...
Of course, a compromise of the key you use to access your e-mail
system is probably not the end of the world, unless it does a whole
lot more than just send and receive your e-mail...
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail. Sorry for the inconvenience. Thank the spammers.