Here is a link for the keychain script I mentioned earlier:
http://www.ibm.com/developerworks/library/l-keyc2/
I've used ssh and ssh-agent for a long time, and don't really see much
value to thsi keychain thing. the main premise seems to be that you
want to leave your ssh-agent running even after logout. I find this
kind of strange. the article mentions as desirable that by leaving
ssh-agent running with keys and stashing its parameters in .ssh-agent,
things like your cron jobs can act as you.
I don't see this as a significant advantage - if I want unattended
jobs to do ssh authentication, I do it with a dedicated, unencrypted
key (which on the target machine can _only_ perform the desired function
using the command= syntax, preferably also with the from= constrain.)
yes, that means that someone could steal the private key and perform
the function.
leaving ssh-agent running with keys means that any compromise,
even just of the user-level account, now _owns_ the account,
locally and remotely. I prefer to run ssh-agent as part of my X
session - processes inherit the SSH_AUTH_SOCK parameter in their
environment, and ssh-agent goes away when I logout. I've been
thinking about tweaking ssh-agent so that keys timeout when idle
(ssh-add _can_ already provide a TTL, but I'd like ssh-agent to
forget my keys after a period of unuse.) it's also tempting to see
whether the kernel's keyring feature might be useful in handling
ssh keys - I think it would remove the need for a process (and
worrying about $SSH_AUTH_SOCK), but wouldn't actually add any additional
safety.
regards, mark hahn.
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
