| |||||||||||||
SSH: passwords or keys?SSH: passwords or keys?Posted Jan 14, 2010 8:50 UTC (Thu) by alkbyby (subscriber, #61687)Parent article: SSH: passwords or keys?
Maybe not everyone knows, but modern gdm/gnome combo automagically
allows you to have password protected key and avoid (re)entering that password at the same time. It seems that ssh-agent is started as part of gnome session and it reuses password you enter at login prompt.
I'm not sure if it's ok that all session programs (including
(Log in to post comments)
agent = acts on behalf of Posted Jan 14, 2010 11:24 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
You phrasing is unclear, which might be because you didn't know the specifics.
In any case: other programs in the session only get "access" to the key in the sense that the agent is willing to act for them and the agent has the key. They cannot, for example, make a copy of the key itself and send it somewhere.
The agent will help them answer challenges so that they can log into a remote server, but these challenges are only valid for a limited time, so you can't save one to use later.
This works out roughly equivalent to these programs running 'ssh' themselves, which of course is exactly what your shell (also in the session) does when you type ssh.
It would be nice to forbid programs with a large and exposed attack surface (not just the web browser, a PDF viewer is a good candidate, and perhaps email clients) from a wide variety of activities, but that's a bigger topic than SSH is able to address.
|
|||||||||||||