Subject: Re: ssh - are you nuts?!?
To: None <email@example.com>
From: Chris Jones <firstname.lastname@example.org>
Date: 12/20/2000 09:41:50
> On 17 Dec, Chris Jones wrote:
> > email@example.com writes:
> >> Are there any more features that might make SSH valuable?
> > Password-less login. I can type my passphrase once, and for the
> > remainder of the life of the login session or shell, I can ssh "for
> > free" into certain machines.
> > This is also dangerous, of course; it's easy for me to forget and
> > leave my terminal, which theoretically makes a whole batch of
> > computers vulnerable, not just one. To help address this, I've been
> > thinking for some time about adding a locking IOCTL that prevents
> > virtual console switching -- that way, I can just run xlock or lock,
> > and I can feel pretty safe leaving my terminal. As always, of course,
> > I haven't had time to do any coding on this.
> Your point on vulnerability seems to indicate that a feature then
> requires a fix. Which might require a feature, that in turn would
> require a fix..... seems messy to me. Do you agree?
Not quite as involved as that, in this case. In fact, I think
security isn't ever going to work unless users think about security;
no matter how good your security system is, a sufficiently thoughtless
or malicious user can compromise it.
In this case, I could fix the problem by never logging in on more than
once virtual console -- that way, when I lock the console I'm on,
nobody can sit down and switch to a different login session of mine,
where they can grab my RSA key. Alternatively, I could just always
remember, when I leave my computer, to lock each virtual console; that
would be just as effective.
What I'm suggesting, though, is a fix that makes it a little easier
for me to remember all this: I'd like to be able to just run lock or
xlock in one place (or have xautolock run, if I forget), and let the
software lock all those terminals for me.
IMHO, the take-home message is this: Software's no substitute for
thought, but it can take a few things off your mind.
Chris Jones Mad scientist at large