password safes for mac

Nicolas Williams Nicolas.Williams at sun.com
Wed Jul 1 14:06:05 EDT 2009


On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote:
> I think he's pointing out a more general problem.

Indeed.  IIRC, the Mac keychain uses your login password as its passphrase
by default, which means that to keep your keychain unlocked requires
either keeping the password around (bad), keeping the keys in cleartext
around (worse?), or prompting for the password/passphrase every time
they are needed (unusable).

This applies to ssh-agent, the GNOME keychain, etcetera.  It also
applies to distributed authentication systems with password-based
options, like Kerberos.

ISTM that keeping the password around (preferably in mlocked memory,
and, to be sure, with swap encrypted with ephemeral keys) is probably
the better solution.  Of course, the keys themselves have to be handled
with care too.

Nico
-- 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list