On Fri, 21 Jan 2005, Martin Quinson wrote: > Dudes. There is a reason why those informations are not written to file by > ssh itself. If my local machine gets corrupted, I'm happy to see the
And it is because all of ssh-agent is a second-thought crap, as evidenced by the fact that stock ssh-agent is not capable of "withholding keys unless given explicit permission to act every time one request comes". But it is still usefull as all heck crap. I use it all the time, along with keychain. But certainly not without paying attention to what I am doing. > You should at least speak about the potential security risk in the > description. Agreed. > I'd drop the package from the archive right away. I have several cron jobs > using ssh keys (a new key for each cron, without pass and allowed to do only > one specific command on the remote host). This can very well be a much bigger security risk than doing what you already do BUT using passphrases AND ssh-agent to reduce the window of opportunity. And avoiding keychain does not make it much more difficult to find out how to talk to any in-memory ssh-agent anyway, you know. NOR does it make it any more difficult to locate all unprotected keys in your machine through a rgrep. > - speak about the potential security hazard in description Or in README.Debian. > - check the pre-installed version before showing your crufty template (or > use README.Debian, it's what it's good for) Actually, that's NEWS.Debian material. And yes, drop it from debconf entirely. > - do usefull changelog entries in your packages in the future. Seconded, thirdied, etc. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
