On Thu, May 19, 2005 at 04:34:04PM +0100, Chris Green wrote:
I know this creates some security holes but I'm not at all clear what they are really, can anyone elucidate? I realise that anyone with
login. Is this the only risk or is the encryption inherently weaker if I didn't enter a key?
The encryption will be the same, the risk is that you have to trust everyone with access to those machines won't abuse your keys. All my keys have a passphrase just because, it isn't really any harder to type it every so often. If you find that you are having to type a passphrase often then maybe you want to take a look at ssh-agent which sort of caches keys after you unlock them so you don't have to keep typing the passphrase.
Read this article for more explanation on ssh-agent (and the linked articles, I find that the items Brian Hatch writes are very informative without getting to bogged down in details)
http://www.securityfocus.com/infocus/1812
Adam