[Balug-talk] Security and SSH keys

Bill Moseley moseley at hank.org
Tue Jan 25 13:22:00 PST 2005 

I want to do automatic cvs checkout from a Sourceforge project via
cron.  I don't want to do anonymous cvs due to the delay that sf.net
has between developer checkins and propagation to the anon cvs server.
(Or something like that.  Anyway, assume that anonymous is not an
options.)

So, that means I would need a password-less key pair for accessing my
sf.net account via cron.  And that means if anyone hacked my account
on that machine they would then have access to my account as sf.net.
The machine is at UC Berkeley and is used by a few others.  I have no
idea how possible it might be for a hacker to gain access to my
account (and then my private key) on that machine.

I could avoid cron and instead use a pass phrase and  run a program
under ssh-agent and have it sleep between cvs checkout runs, but it
would quit working if the process is ever stopped (need to reenter
pass phrase upon restart).

If someone hacked my account would they be able to then capture my
pass phrase?  Obviously, if they had root they could capture my key
strokes.

What would you suggest as the best balance between convenience and
security?  Anonymous cvs would be best, but the sf.net delay rules
it out.

And in general, how do you manage your ssh keys?

I currently use one key with a pass phrase and ssh-agent (and use
ssh-add in my .xsession).  Then I use the same public key on multiple
hosts.  The risk there is if my private key is compromised then so are
multiple machines.

I use a different pass phrase for each of the machines I use (i.e.
desktop, laptop, etc) and different key pairs.  But, that's also a pain
as I often get the pass phrases mixed up between different machines.
Since I access the same set of hosts on all my machines it probably
doesn't improve security to use different private keys.

I worry a bit about using the same public key on different hosts.  But
I suppose if someone managed to capture one private key and its pass
phrase they could catch any that I use.

Oh, and Sourcforge allows two sets of public keys.  One set for cvs
and shell, and another for the compile farm.  And this document says
to not use the same keys for both:

  https://sourceforge.net/docman/display_doc.php?docid=761&group_id=1#keyposting

I'm not sure I understand why they say that.  Is there some other
reason I'm not seeing other than the general idea that it's good not
to have one key with too much access?

Thanks,



-- 
Bill Moseley
moseley at hank.org

More information about the Balug-talk-balug.org mailing list