[Bug 1663] Allow to use agent for distribution of public keys.
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 10 10:30:30 EST 2010
https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #3 from Damien Miller <djm at mindrot.org> 2010-02-10 10:30:29 EST ---
This is an interesting idea. My concerns are:
1) you lose the ability to specify key restrictions. I.e. you can't
force commands on a per-key basis, disable port-forwarding, etc.
2) I think it would be better if you don't run the agent from sshd.
Instead, you add a single directive to sshd_config to inform it of an
agent socket path and use ssh-agent's "-a" option to make it listen on
a single location.
3) ssh-agent has not be written with robustness against deliberately
malformed input in mind and will fatal() at the first encoding error.
This is good behaviour for a per-user agent, but could lead to
system-level DoS when used to manage public keys for a host.
We should probably discuss this on the mailing list.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list