ssh-agent too easy to hack

Aran Cox acox at ia.primustel.com
Thu Jan 17 11:23:20 EST 2002


Ideally you could choose both, dump the keys after a fixed period no
matter what and/or after a period of disuse.  At least, that's what I've
always wanted.  I'd dump them all after 4 hours no questions asked and
maybe an hour or two after their last use.  


On Wed, 2002-01-16 at 16:40, Tim McGarry wrote:
> Yep I prefer the first option too, it'll remind me to go to lunch at when my
> keys get dumped and also to leave the office in time to get the train :-)
> 
> But, most people would expect keys to be dumped after a period of idleness.
> 
> Tim
> 
> ----- Original Message -----
> From: <mouring at etoh.eviladmin.org>
> To: "Tim McGarry" <tim at mcgarry.ch>
> Cc: <openssh-unix-dev at shitei.mindrot.org>
> Sent: Wednesday, January 16, 2002 3:03 AM
> Subject: Re: ssh-agent too easy to hack
> 
> 
> >
> > Umm.. The first of the two.  You'd really piss people off while you are
> > explaining to them why they have to enter their passphrase AGAIN after
> > only two minutes.  =)  However I would still perfer a user definable
> > period.  Maybe with some reasonable upper limit (12 hours? <shrug>).
> >
> > - Ben
> >
> > On Wed, 16 Jan 2002, Tim McGarry wrote:
> >
> > > So what do you think is the best approach
> > >
> > > either
> > >     give the key an absolute life of eg 2 hours from ssh-add time
> > > or
> > >     dump all keys 2 hours after the last request to the agent?
> > >
> > > Tim McGarry
> > >
> > > ----- Original Message -----
> > > From: "Markus Friedl" <markus at openbsd.org>
> > > To: "Kevin Steves" <stevesk at pobox.com>
> > > Cc: "Tim McGarry" <tim at mcgarry.ch>;
> <openssh-unix-dev at shitei.mindrot.org>
> > > Sent: Tuesday, January 15, 2002 10:01 AM
> > > Subject: Re: ssh-agent too easy to hack
> > >
> > >
> > > > On Mon, Jan 14, 2002 at 09:43:00PM -0800, Kevin Steves wrote:
> > > > > On Tue, 15 Jan 2002, Tim McGarry wrote:
> > > > > :2/ I also think it should have a timeout too, perhaps dumping all
> keys
> > > if
> > > > > :the agent is unused for more than 30 mins.
> > > > >
> > > > > agent key timeouts would be good (e.g., ssh-add -t 2h).  someone
> just
> > > > > needs to propose something and write the code.
> > > >
> > > > i'll do.
> > > >
> > >
> > > _______________________________________________
> > > openssh-unix-dev at mindrot.org mailing list
> > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > >
> >
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> 
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020116/1d9c2c6b/attachment.bin 


More information about the openssh-unix-dev mailing list