[Ilugc] doesn't ssh-agent defeat the purpose of a passphrase
- From: rajasuperman@xxxxxxxxx (Raja Subramanian)
- Date: Thu Jul 29 11:50:02 2010
On Thu, Jul 29, 2010 at 10:24 AM, Manokaran K <manokaran@xxxxxxxxx> wrote:
But it is also suggested that ssh-agent (or keychain etc) is used to manage
passphrases - so that one does not have the trouble of keying in a long
passphrase everytime! I feel this defeats the very purpose of a passphrase!!
A person getting hold of the ssh-agent config (or whatever file that holds
the passphrase) file can just as easily access the servers!!
For this reason, ssh-agent will never save the passphrase in a config file.
You are forced to enter it manually whenever you start ssh-agent and add
keys. Once the keys are added, you can then use ssh repeatedly without
passwords.
The main security problem with ssh-agent is that it creates a unix domain
socket for communication with ssh. This file/socket is secured using standard
unix file permissions and hence root can access the ssh keys for any local user.
Suggest you read this article for a good understanding of ssh/ssh-agent
interaction:
http://unixwiz.net/techtips/ssh-agent-forwarding.html
- Raja
Other related posts: