Re: Apache Software Foundation Server compromised, resecured. (fwd)

From: Borja Marcos (borjamar@sarenet.es)
Date: 06/01/01

• Next message: Michael Radzewitz: "RE: Apache Software Foundation Server compromised, resecured."
• Previous message: Borja Marcos: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• In reply to: Kris Kennaway: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Borja Marcos <borjamar@sarenet.es>
To: freebsd-security@freebsd.org
Date: Fri, 1 Jun 2001 10:29:17 +0200

On Friday 01 June 2001 04:10, you wrote:
> I believe agent forwarding still exposes the problem: it basically
> sets up a trust relationship with the remote system which allows
> processes running as you on the target machine to access the keys
> stored in the original ssh-agent on your source machine.
>
> i.e. in order to authenticate from the second machine to a third when
> agent forwarding is enabled from machine one to machine two, the
> second client requests a copy of your decrypted credentials which are
> stored in the ssh-agent on the first, and uses them as it pleases
> (ideally, only to authenticate -- once, and according to your
> directions -- with the third system).

        Are you sure? I understand that the challenge encryption is done at the
first system (by the authentication agent) and the private key is *not* sent
to anywhere. If that were the case, the authentication agent would have no
useful purpose!

        Of course, a problem remains; it might be possible to start connections from
the second system to the third using the forwarded authentication, but the
use of an external device storing the keys would make it more difficult.

        Borja.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Michael Radzewitz: "RE: Apache Software Foundation Server compromised, resecured."
• Previous message: Borja Marcos: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• In reply to: Kris Kennaway: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Apache Software Foundation Server compromised, resecured. (fwd) ... > Kris Kennaway wrote: ... >>> so by typing a passphrase on that machine as opposed to agent forwarding? ... >> processes running as you on the target machine to access the keys ... (FreeBSD-Security) Re: Trouble with agent forwarding ... Should it be possible to let agent forwarding work like this "through" ... the idea is not to have root's keys in that user's authorized_keys ... Only keys from actual developer machines are there - isn't ... forwarding behaves under sudo? ... (SSH)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2001-06