l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2001 Dec 30 17:00

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] fetchmail and ssh (fwd)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] fetchmail and ssh (fwd)


  • Subject: Re: [vox-tech] fetchmail and ssh (fwd)
  • From: Bill Broadley <bill@math.ucdavis.MAPSedu>
  • Date: Wed, 14 Feb 2001 13:13:11 -0800
  • References: Pine.LNX.4.21.0102141305500.18990-100000@mirimichi.pvusa.localnet

> I haven't used gpg yet.  *duck*  I don't know about the interchangeability
> of ssh keys with gpg keys, either.
> 
> However, I have had no problem using ssh-keygen to make keys without
> passphrases.

Sounds like a bad idea.

> Your comment does hint at something I find a little odd, though.  I don't
> use the same private key on more than one system, in case one of them gets
> compromised... particularly where one system is more exposed than the
> other.  That is, I treat the key as the identity of user@host, not
> usermail@public.mail.domain.  There probably is value in having a generic
> private key for gpg identification, but once the account that contains it
> gets cracked, the biggest hurdle in cracking your key is already done. 

Hrm, what exactly are you worried about happening?  You do not
need to copy your private key to each machine you login to, just
your identity.

> If you want the passphrase, and are willing to type it in every single
> time you get mail, then I would run fetchmail manually.  That may be
> appropriate for ssh access from p@belial to p@satan, since belial is not
> behind a firewall, and you don't have a need to forego that extra
> security there. But firewalls with holes in them for public services
> are not 100% trustworthy either. :)
> 
> Fortunately even the use of ssh without any passphrases reduces your
> chances of getting cracked because of the decreased sniffability.

Warning I haven't been following this thread but it seems like 
you could just use the ssh-agent to start fetchmail on boot,
get your passphrase, then via authorized_keys have it trusted
as long as it's running.

> I just happen to play with ssh... only slightly less bone in that part of
> my head. The important thing to keep in mind is that the value of a
> private key lies primarily in its privateness.  The passphrase is the
> second line of defense, and is weakened by the temptation to shorten it
> since you use it a lot.

Ummm, I have a strong/long passphrase I type it once at login (after
the gdm window).  In secure places I.e. home I do that once a month
ish, at work (less secure) I do it once a day.

I just have a .xsession:
#!/bin/bash
eval `/usr/bin/ssh-agent`
/usr/bin/ssh-add < /dev/null
gnome-session

If I wanted it to run fetchmail every minute, or access any
machine that "trusts" my identity I can pull up a window as root
or bill.  I don't have to trust those remote machines at all, but
I am of course very senstive to the physical and network security
of my desktop since it has my secret key.  So basically I only
type any password to admin or login as a user on 100's of machines
and if one gets hacked no big deal.

Now if someone hacked my console, then trojaned ssh-add to record
my pass-phrase then I'd be royally screwed.  For that reason I run
little besides sshd, and keep the patches current.

--
Bill


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.