ssh-agent too easy to hack

Tim McGarry tim at mcgarry.ch
Thu Jan 17 09:40:45 EST 2002


Yep I prefer the first option too, it'll remind me to go to lunch at when my
keys get dumped and also to leave the office in time to get the train :-)

But, most people would expect keys to be dumped after a period of idleness.

Tim

----- Original Message -----
From: <mouring at etoh.eviladmin.org>
To: "Tim McGarry" <tim at mcgarry.ch>
Cc: <openssh-unix-dev at shitei.mindrot.org>
Sent: Wednesday, January 16, 2002 3:03 AM
Subject: Re: ssh-agent too easy to hack


>
> Umm.. The first of the two.  You'd really piss people off while you are
> explaining to them why they have to enter their passphrase AGAIN after
> only two minutes.  =)  However I would still perfer a user definable
> period.  Maybe with some reasonable upper limit (12 hours? <shrug>).
>
> - Ben
>
> On Wed, 16 Jan 2002, Tim McGarry wrote:
>
> > So what do you think is the best approach
> >
> > either
> >     give the key an absolute life of eg 2 hours from ssh-add time
> > or
> >     dump all keys 2 hours after the last request to the agent?
> >
> > Tim McGarry
> >
> > ----- Original Message -----
> > From: "Markus Friedl" <markus at openbsd.org>
> > To: "Kevin Steves" <stevesk at pobox.com>
> > Cc: "Tim McGarry" <tim at mcgarry.ch>;
<openssh-unix-dev at shitei.mindrot.org>
> > Sent: Tuesday, January 15, 2002 10:01 AM
> > Subject: Re: ssh-agent too easy to hack
> >
> >
> > > On Mon, Jan 14, 2002 at 09:43:00PM -0800, Kevin Steves wrote:
> > > > On Tue, 15 Jan 2002, Tim McGarry wrote:
> > > > :2/ I also think it should have a timeout too, perhaps dumping all
keys
> > if
> > > > :the agent is unused for more than 30 mins.
> > > >
> > > > agent key timeouts would be good (e.g., ssh-add -t 2h).  someone
just
> > > > needs to propose something and write the code.
> > >
> > > i'll do.
> > >
> >
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list