Re: Apache Software Foundation Server compromised, resecured. (fwd)

From: Michael Han (mikehan@mikehan.com)
Date: 06/02/01


Date: Sat, 2 Jun 2001 08:57:05 -0700
From: Michael Han <mikehan@mikehan.com>
To: "Karsten W. Rohrbach" <karsten@rohrbach.de>

On Sat, Jun 02, 2001 at 03:53:02PM +0200, Karsten W. Rohrbach wrote:
>
> > Note also that in a multiple-key scenario, the SSH client provides no way
> > to selectively forward keys to hosts, or express policy regarding whether
> > keys are then forwarded by the host you have connected to.
> would it be very hard to add this functionality?
> where would the policies be stored?
> storing them in the identity would require changing the key file format,
> so i guess something like an agent configuration would make sense.
 
There's already a good precedent for this. $HOME/.ssh/config , which
is where I decide which hosts I connect to are trusted (override
ForwardX11 no and ForwardAgent no if desirable). So if someone thought
of a new configuration command, like "ForwardAgentKeys" which took a
list of fingerprints or something, that'd actually be a pretty
straightforward iway to do this.

My biggest complaint with ssh (though it's also quite nice) is the way
it punts so many security issues to the user. As an admin, that choice
makes it difficult to control the security policy on the network, and
occassionally scares me, since most users don't really seem to be very
concerned about security, yes ssh happily punts security policy issues
to them.

-- 
mikehan@mikehan.com                            http://www.mikehan.com/
coffee achiever                              San Francisco, California
The life uncaffeinated is not worth living.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • [SOLVED] Re: Unable to Automate SSH authentication
    ... I am configuring Fedora Core 6 and CentOS5.3 for automatic SSH ... hosts and copied id_dsa.pub keys to it. ... I think it is unable to read the key, I copy/pasted these keys from command promt, what is wrong here. ...
    (Fedora)
  • Re: Unable to Automate SSH authentication
    ... I am configuring Fedora Core 6 and CentOS5.3 for automatic SSH ... hosts and copied id_dsa.pub keys to it. ... I have verified permissions for .ssh directory and they are ok; but I am getting following error in /var/log/messages, it is first attempting to use key authentication and after that password authentication. ...
    (Fedora)
  • Re: Linux: ssh keys
    ... >> When you ssh interactively you will be prompted to add the keys to ... >> known hosts. ... They keys ssh is asking you about are for server ...
    (comp.security.ssh)
  • Re: SSH: remote login returns "invalid user"
    ... do you differentiate between client hosts and server hosts and most ... with your current account being "brownh" and you ... At present, I have three or four hosts on a LAN, and I can ssh from ...
    (Debian-User)
  • Re: Opening ports in my firewall
    ... >> only with DSA keys, and not allowing manual password logins. ... - copy the .ssh directory to the new machine, if you control it, or ... Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org ...
    (comp.os.linux.security)