[Beowulf] Re: how do I get started?

Mark Hahn hahn at mcmaster.ca
Mon Jul 21 06:34:57 PDT 2008


> Here is a link for the keychain script I mentioned earlier:
>
> http://www.ibm.com/developerworks/library/l-keyc2/

I've used ssh and ssh-agent for a long time, and don't really see much
value to thsi keychain thing.  the main premise seems to be that you 
want to leave your ssh-agent running even after logout.  I find this 
kind of strange.  the article mentions as desirable that by leaving 
ssh-agent running with keys and stashing its parameters in .ssh-agent,
things like your cron jobs can act as you.

I don't see this as a significant advantage - if I want unattended 
jobs to do ssh authentication, I do it with a  dedicated, unencrypted
key (which on the target machine can _only_ perform the desired function
using the command= syntax, preferably also with the from= constrain.)
yes, that means that someone could steal the private key and perform
the function.

leaving ssh-agent running with keys means that any compromise,
even just of the user-level account, now _owns_ the account,
locally and remotely.  I prefer to run ssh-agent as part of my X 
session - processes inherit the SSH_AUTH_SOCK parameter in their 
environment, and ssh-agent goes away when I logout.  I've been 
thinking about tweaking ssh-agent so that keys timeout when idle
(ssh-add _can_ already provide a TTL, but I'd like ssh-agent to 
forget my keys after a period of unuse.)  it's also tempting to see
whether the kernel's keyring feature might be useful in handling
ssh keys - I think it would remove the need for a process (and 
worrying about $SSH_AUTH_SOCK), but wouldn't actually add any additional
safety.

regards, mark hahn.



More information about the Beowulf mailing list