August 2007 Archives
Well I hate eating crow, but it turns out that (surprise) SSHKeychain isn't quite the panacea I made it out to be. Shortly after my post where I gush about it, Eric Warnke, one of the developers emails me with a warning about a couple of serious security issues he's found in the current version of SSHKeychain (0.8.1). Both have workarounds, which I'll summarize here, but please see his email post for full details.
UPDATE 25-Aug-2007: Version 0.8.2 has been released to address both of these issues. Tunneling of low ports has been disabled until a proper fix can be made.
[WARNING: There are couple of security issues with SSHKeychain that you should be aware of. Please see my next post for details.]
SSH, short for secure shell, is a set of tools (ssh and scp on Unix derivatives) to securely access and copy files to remote machines. So often I see tutorials, like this or this, on how to setup SSH to work with no password. However, these tutorials often advise using a key pair without a passphrase protecting the private key. Yeah, okay, you can now get into remote machines without typing a password, but so can someone else if they get access to your account. Leaving your private key unprotected without a passphrase is like not having a PIN on your ATM card. It's just asking for trouble.
You may scoff at my paranoia, but the famous Internet Worm back in 1988 exploited a similar weakness in the then-popular RSH (remote shell) set of commands (rsh, rcp, etc.). It used the password-less mode of RSH as one if its methods to spread itself to other machines and effectively bring down the Internet. As SSH was written as a secure replacement to RSH, in part to avoid repeat problems like the Internet Worm, I believe private keys should be protected with a passphrase under nearly all circumstances.
Okay, so I understand that you don't want to enter your passphrase every time you login or copy files. The solution (at least on Unix derivatives, including Mac OS X) is to use ssh-agent. It gives you SSH access without a password, but is still very secure.
My entry into Iron Coder Live, C4[1] Edition, called "The Bouncer", took third place. I'm pretty happy considering the first and second were native iPhone applications, and mine was an Input Manager hack. Congrats to Glen and Ken Aspeslagh for first place and Lucas Newman for second!
The Bouncer is an application that can bounce the dock icon of other running Cocoa applications. It has an "interactive" mode where you can bounce the icons by using different keys on your keyboard. I finished off the demo with icons bouncing in sync to an audio clip of The Blue Danube. Here is a video of the hack in action:
Well, C4[1], the second incarnation of Jonathan "Wolf" Rentzsch's popular conference for Mac indies is over, and what can I say. Wow. It was fantastic. Living in Chicago and being able to work with Wolf on projects outside of C4, I think I have unique perspective on how much work Wolf actually puts into it. Lemme just summarize and say, "You have no idea."
The conference is willed together by a combination of Wolf's insanity and drive for perfection. Like Cabel, who mentioned in his talk about how he has the vision for an app even before he begins to prototype the UI, C4 is the realization of Wolf's idealized conference. The whole thing really is from the heart, and it shows. When Wolf is standing at the door on opening night trying to personally greet everyone that comes in, those greetings are for real. He really is glad to see everyone.
My only complaint of C4[1], well maybe the second (I'm hoping Drunken Batman was actually drunk), is that I think we ended the conference without giving Wolf his proper thanks. After Iron Coder, we all just sort of scattered about. So I want to take the time now to give Wolf a virtual standing ovation, complete with hoots and hollers. Thanks, Wolf! You did a fantastic job, and I appreciate the hard work you put into the conference.
Of course, let's also not forget the behind the scenes work by Bob, Victoria, and Tim. I personally know all of you guys, too, and want to give you a big "Thanks" as well. In fact, thanks to everyone involved, speakers and participants included. C4[1] will be remembered, by more than just me, as a roaring success. Now, time to catch up on lost sleep...
