Re: sending through a remote MTA with ssh

To: mutt-users@xxxxxxxx
Subject: Re: sending through a remote MTA with ssh
From: Chris Green <chris@xxxxxxxxxxx>
Date: Thu, 16 Feb 2006 18:56:20 +0000
Cc: Stanislaw Halik <weirdo@xxxxxxxxxxxxxx>
In-reply-to: <20060216171721.GA13081@xxxxxxxxxx>
List-unsubscribe: <mailto:mutt-users-request@mutt.org?body=unsubscribe>
Mail-followup-to: mutt-users@xxxxxxxx, Stanislaw Halik <weirdo@xxxxxxxxxxxxxx>
References: <20060215141750.GA28703@xxxxxxxxxx> <20060215232418.GA72258@xxxxxxxxxxxxxx> <20060216084559.GB15300@xxxxxxxxxxx> <20060216090026.GA11107@xxxxxxxxxx> <20060216090647.GB16743@xxxxxxxxxxx> <20060216171721.GA13081@xxxxxxxxxx>
Sender: owner-mutt-users@xxxxxxxx
User-agent: Mutt/1.5.6i

On Thu, Feb 16, 2006 at 12:17:21PM -0500, Derek Martin wrote:
> On Thu, Feb 16, 2006 at 09:06:48AM +0000, Chris Green wrote:
> > I use it from a work computer which is secure enough for me to simply
> > set up secure keys and allow passwordless login without using
> > ssh_agent.  Since I stay logged on to my work computer all day using
> > ssh_agent would add nothing in the way of security.
> 
> Presumably by "set up secure keys and allow passwordless login without
> using ssh_agent" you mean you've created keys with no passphrase.
> 
Yes, sorry, that's the one.  It's a while since I did it so I'd
forgotten the details.  .... and I did read all about the security
risks.


> In practical terms, what you say is probably true; but there is a
> difference.  Anyone who could access your computer (either physically,
> or reomotely through some exploit) could easily make a copy of your
> key, which is not encrypted.  While an unencrypted copy of your key is
> available in your agent, the "attacker" would require a greater level
> of sophistication to get your key out of the process's memory than
> would be required to copy the file...
>  
If they can get access to my home directories on the computers at work
there are *far* more interesting things to steal than the unencrypted
ssh keys there!  This is why I decided it was 'safe enough'.


> In environments that require a high degree of security, using
> unencrypted keys (keys with no passphrase) is unwise.  Even if you use
> ssh-agent (and hence an unencrypted copy of your key is laying around
> in memory), the extra security you get from using passphrases is
> small, but probably worthwhile.  In such environments though, better
> still to not use ssh-agent...
> 
Yes, if security is a serious issue then unencrypted keys whether in
memory or in a file are probably not a 'good thing'.


> Of course, a compromise of the key you use to access your e-mail
> system is probably not the end of the world, unless it does a whole
> lot more than just send and receive your e-mail...
> 
You have hit the nail well on the head there.

-- 
Chris Green (chris@xxxxxxxxxxx)

    "Never ascribe to malice that which can be explained by incompetence."

Follow-Ups:
- Re: sending through a remote MTA with ssh
  - From: Derek Martin

References:
- sending through a remote MTA with ssh
  - From: Louis-David Mitterrand
- Re: sending through a remote MTA with ssh
  - From: Stanislaw Halik
- Re: sending through a remote MTA with ssh
  - From: Chris Green
- Re: sending through a remote MTA with ssh
  - From: Louis-David Mitterrand
- Re: sending through a remote MTA with ssh
  - From: Chris Green
- Re: sending through a remote MTA with ssh
  - From: Derek Martin

Prev by Date: SPAM (was Re: sending through a remote MTA with ssh)
Next by Date: Re: sending through a remote MTA with ssh
Previous by thread: Re: sending through a remote MTA with ssh
Next by thread: Re: sending through a remote MTA with ssh
Index(es):
- Date
- Thread