On Thu, Nov 28, 2013 at 10:45:39AM -0800, William Stein wrote: > On Thu, Nov 28, 2013 at 10:27 AM, Georgi Guninski <gunin...@guninski.com> > wrote: > > On Thu, Nov 28, 2013 at 07:48:24AM -0800, William Stein wrote: > >> On Nov 28, 2013 4:36 AM, "Volker Braun" <vbraun.n...@gmail.com> wrote: > >> > > >> > It would be just as easy for a compromised cloud ssh to download your > >> personal private key than to log your password. > >> > >> I always protect my ssh keys by passphrase protecting them, so just > >> downloading the private key does not trivially give access. Instead the > >> attacker would have to setup some sort of logger to get the passphrase, > >> which is harder. I also sometimes use ssh-agent. > >> > > > > sorry, this doesn't make sense at all. > > ssh(1) uses your private key, so it knows it. > > please don't spread disinformation and don't > > Ugh. If you properly passphrase protect your private key then > somebody who *copies* the private key file ~/.ssh/id_rsa gains > nothing. I did not claim anything other than this, and I am not > spreading disinformation. > I should have added the word "file" emphasized in my post above: "just > downloading the private key [file!] does not...". > I thought it was so obvious that if you log into a remote linux > machine and somebody else has also logged into the same machine as the > same user, then anything you do is not secure. I thought it would go > without saying. I'm sorry if there is any confusion. > > -- William >
OK, I agree with this explanation. Appears to me it is offtopic for the thread, so I misunderstood it is part of your original solution (someone already tried to patch it). Sorry for the confusion. -- You received this message because you are subscribed to the Google Groups "sage-support" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-support+unsubscr...@googlegroups.com. To post to this group, send email to sage-support@googlegroups.com. Visit this group at http://groups.google.com/group/sage-support. For more options, visit https://groups.google.com/groups/opt_out.
