[Balug-talk] Security and SSH keys
moseley at hank.org
Tue Jan 25 13:22:00 PST 2005
I want to do automatic cvs checkout from a Sourceforge project via
cron. I don't want to do anonymous cvs due to the delay that sf.net
has between developer checkins and propagation to the anon cvs server.
(Or something like that. Anyway, assume that anonymous is not an
So, that means I would need a password-less key pair for accessing my
sf.net account via cron. And that means if anyone hacked my account
on that machine they would then have access to my account as sf.net.
The machine is at UC Berkeley and is used by a few others. I have no
idea how possible it might be for a hacker to gain access to my
account (and then my private key) on that machine.
I could avoid cron and instead use a pass phrase and run a program
under ssh-agent and have it sleep between cvs checkout runs, but it
would quit working if the process is ever stopped (need to reenter
pass phrase upon restart).
If someone hacked my account would they be able to then capture my
pass phrase? Obviously, if they had root they could capture my key
What would you suggest as the best balance between convenience and
security? Anonymous cvs would be best, but the sf.net delay rules
And in general, how do you manage your ssh keys?
I currently use one key with a pass phrase and ssh-agent (and use
ssh-add in my .xsession). Then I use the same public key on multiple
hosts. The risk there is if my private key is compromised then so are
I use a different pass phrase for each of the machines I use (i.e.
desktop, laptop, etc) and different key pairs. But, that's also a pain
as I often get the pass phrases mixed up between different machines.
Since I access the same set of hosts on all my machines it probably
doesn't improve security to use different private keys.
I worry a bit about using the same public key on different hosts. But
I suppose if someone managed to capture one private key and its pass
phrase they could catch any that I use.
Oh, and Sourcforge allows two sets of public keys. One set for cvs
and shell, and another for the compile farm. And this document says
to not use the same keys for both:
I'm not sure I understand why they say that. Is there some other
reason I'm not seeing other than the general idea that it's good not
to have one key with too much access?
moseley at hank.org
More information about the Balug-talk-balug.org