Hello everybody, I just read the page being discussed here: are we sure we really want to tell developers and users that in some cases it is fine to use a plain passwordless SSH key ?
- for interactive use, it is almost as conveninent, and more secure, to use a SSH agent; - for non-interactive use, it is more secure to restrict what the SSH key can do using a "command" field in the authorized_keys file; - while I am not using the Debian infrastructure much, I am not aware of use cases where it is necessary for simple users to have a plain unrestricted passwordless key as described here. (By the way, the .xsession extract should contain "# eval $(ssh-agent)" instead of "# eval ssh-agent"). I think that the contents of this page would have been added to wiki.debian.org if it already existed when the page was created. Perhaps it is better to transfer the information now ? I understand that being on www.debian.org gives better chances of being translated in many languages, but I would expect that somebody invited to log in debian.org systems with a passwordless key should have a reasonable undestanding of English... And if it is not about logging in the Debian infrastructure, then maybe it is an argument for removing the page ? Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan
