ssh private key password

[Gregory Maxwell]

On Fri, Jan 9, 2009 at 10:33 PM, Jerry Amundson <jamundso at gmail.com> wrote:
> On 1/9/09, Gregory Maxwell <gmaxwell at gmail.com> wrote:
>> A central unspoofable password dialog does make sense for improving
>> security, Fedora isn't there yet… but CLI apps kicking you to some
>> external dialog for passwords is a necessary step to that end.
>
> And that's been proven by whom?

…

Perhaps you didn't understand what I was saying.

It is considered a reasonable goal by many that there ought to be a
way for joe-average-user to be confident that when he is entering a
password it isn't being entered into some spoof/trojan program.

There are a number of ways to accomplish this, for example: There
could be a secure system level password entry box that requires a
magic keypress to activate, and the keypress can't be intercepted by
anything 'user level'. (The windows NT press ctrl-alt-delete login box
is an example of this). Or, for example, the entry could be
accomplished via a secure hardware device (such as a smartcard or
external keypad) which communicates with a protected system level
service.  I'm sure you can imagine a few more possibilities.

Individual apps (be they CLI or GUI) prompting the user for their
password inline is simply incompatible with that goal. If every little
application has it's own password prompts and password entry
facilities the user can't be confident that the one he's talking to is
the one he wants and isn't just some trojan.

This isn't to say that the one-password-dialog-to-rule-them-all must
be obnoxious, focus stealing, etc. ... only that a particular security
goal which you may or many not share requires the consistency of
singular password entry point.