l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2001 Dec 30 17:00

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] fetchmail and ssh (fwd)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] fetchmail and ssh (fwd)

On Wed, 14 Feb 2001, Bill Broadley wrote:

> > I haven't used gpg yet.  *duck*  I don't know about the interchangeability
> > of ssh keys with gpg keys, either.
> > 
> > However, I have had no problem using ssh-keygen to make keys without
> > passphrases.
> Sounds like a bad idea.
> > Your comment does hint at something I find a little odd, though.  I don't
> > use the same private key on more than one system, in case one of them gets
> > compromised... particularly where one system is more exposed than the
> > other.  That is, I treat the key as the identity of user@host, not
> > usermail@public.mail.domain.  There probably is value in having a generic
> > private key for gpg identification, but once the account that contains it
> > gets cracked, the biggest hurdle in cracking your key is already done. 
> Hrm, what exactly are you worried about happening?  You do not
> need to copy your private key to each machine you login to, just
> your identity.

I am only aware of an "identity" file (which is what I referred to as my
private key) and my "identity.pub" file (which I would copy to an account
on a different host or otherwise disseminate).

> > If you want the passphrase, and are willing to type it in every single
> > time you get mail, then I would run fetchmail manually.  That may be
> > appropriate for ssh access from p@belial to p@satan, since belial is not
> > behind a firewall, and you don't have a need to forego that extra
> > security there. But firewalls with holes in them for public services
> > are not 100% trustworthy either. :)
> > 
> > Fortunately even the use of ssh without any passphrases reduces your
> > chances of getting cracked because of the decreased sniffability.
> Warning I haven't been following this thread but it seems like 
> you could just use the ssh-agent to start fetchmail on boot,
> get your passphrase, then via authorized_keys have it trusted
> as long as it's running.

After reading below, I am liking your suggestion. :)

> > I just happen to play with ssh... only slightly less bone in that part of
> > my head. The important thing to keep in mind is that the value of a
> > private key lies primarily in its privateness.  The passphrase is the
> > second line of defense, and is weakened by the temptation to shorten it
> > since you use it a lot.
> Ummm, I have a strong/long passphrase I type it once at login (after
> the gdm window).  In secure places I.e. home I do that once a month
> ish, at work (less secure) I do it once a day.
> I just have a .xsession:
> #!/bin/bash
> eval `/usr/bin/ssh-agent`
> /usr/bin/ssh-add < /dev/null
> gnome-session
> If I wanted it to run fetchmail every minute, or access any
> machine that "trusts" my identity I can pull up a window as root
> or bill.  I don't have to trust those remote machines at all, but
> I am of course very senstive to the physical and network security
> of my desktop since it has my secret key.  So basically I only
> type any password to admin or login as a user on 100's of machines
> and if one gets hacked no big deal.
> Now if someone hacked my console, then trojaned ssh-add to record
> my pass-phrase then I'd be royally screwed.  For that reason I run
> little besides sshd, and keep the patches current.

Much learning here, but I don't see anything that changes my view of
"identity"/"private key" as a user@host concept.  If you are on a remote
host, any actions you take may be mimicked by a cracker there, so your use
of ssh to get "back home" is only as safe as that machine is.  If you
don't trust those other machines, then you can't be logging into your
"console" machine remotely.

Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
Work:<JeffN@endecon.com>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.