On Thu, 2016-01-28 at 12:30 -0700, Chris Murphy wrote: > I don't trust any of the web browser implementations right now. > > The private keys need to be locked (e.g. ssh-add -D) upon either a > suspend/hibernate, or the screen lock timer being reached. > > Maybe I'm missing something, but at the moment if I ssh@server, type > the key passphrase, logout of the server, forget to ssh-add -D, put > the laptop to sleep with sudo systemctl suspend, anyone can come up > to > my laptop hit a key and they get to the desktop, can ssh into the > server, all without a password. No lock screen after wake from > suspend. And no timeout or expiration for the ssh key. Why is this such a problem? They already have total control of your user account; I would be worried about a lot more than your private key at that point.... You know there is a security feature that would have prevented this: screen lock. :) I don't want to ever type my passhrase. I actually don't even know the passphrase to my SSH key. I forgot it long ago and now can't use the key without copying all my gnome-keyring config to each computer I want to use it on. Really frustrating there doesn't seem to be a way to get the passphrase out of gnome-keyring, even though it clearly has it saved somewhere. Michael -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
