Eric Hodel wrote:
> On Sep 27, 2007, at 14:51 , Marcin Raczkowski wrote:
>>> You mean you didn't do that when you logged into your box the very 
>>> first time?  What about when you need to upgrade some core package?  
>>> I simply can't live without ssh-agent!
>>
>> ssh agent (that comes with putty) is (or at least was 1 y ago) there 
>> was bunch of exploits for it.
>>
>> In company i was working recently, we had to have keys with password 
>> anyway :]
>>
>> so mayby using sessions is better idea
> 
> If you're going to be paranoid about keys, passwords and security your 
> choice is between an SSH toolset written in a garbage collected language 
> (that may leave passwords and unencrypted keys available to a debugger 
> for "long" periods of time) used by thousands to tens of thousands of 
> users (Net::SSH) or an SSH toolset written in a manual memory management 
> library (that may leave passwords and unencrypted keys available forever 
> to a debugger due to leaks) with millions to tens of millions of users 
> (OpenSSH).
> 
> Even if you aren't using OpenSSH's ssh-agent, you've still probably got 
> tens of thousands to hundreds of thousands of users to paranoidly scour 
> the code for security exploits.
> 
> I doubt that anybody has paranoidly scoured Net::SSH looking for ways to 
> pull your passwords and keys out of it.  There certainly have been 
> people paranoidly scouring OpenSSH and putty's code looking for exploits.
> 
> This document contains forward-looking statements.  Past vulnerability 
> is no guarantee of future vulnerability.
> 
> 

hmmm, I have to say I'm not security expert myself, I only mentioned 
what i was told by security experts in 2 of my previous companies.
I only wanted to give more reasons to use SSH sessions, i often have to 
setup something on virtual machine just once, so i don't use keys, 
forcing someone to use them if there's another way is strange.

Of course you do it for free, and that's just polite request even if my 
poor english skills don't allow me to express myself clearly :)

so to sum up: if you can use sessions please don't force us to use keys 
everywhere