Chris Green wrote:
On Thu, May 19, 2005 at 09:57:12PM +0100, Jon Dye wrote:
Chris Green wrote:
On Thu, May 19, 2005 at 06:13:45PM +0100, Wayne Stallwood wrote:
That said, I am guilty of doing the same thing so that an automated script can rsync important docs on my laptop to the home machine. But I am very conscious of the fact that should I ever lose my laptop I'd better be getting my backside home to change the Private Key ASAP.
I use keychain for this
...
Of course, if anyone gains access to the account on the client machine while keychain is running they can still log into your server.
So how does this improve on things really then, anyone who gets access to the machine where keychain is running can do what they want can't they, including *changing* the passphrase.
I thought you needed the old passphrase in order to change the passphrase which I didn't think you could get from ssh-agent. So they can do anything they like on the client including grabbing the key but they could do that whether or not you use passwordless ssh. They can also gain access to the remote machine if keychain is running but they can't get the passphrase and therefore stealing the key is pointless.
I guess they can always change the key on the SERVER end to one they've generated.
Someone correct me if I'm wrong.
JD