Restricted agent.

Alfred Perlstein bright at wintelcom.net
Tue Nov 14 13:10:37 EST 2000


I thought as a means of preventing ssh-agent hijacking by
remote hosts one could have a local process communicating
with the agent, simply by having a term open with this
sort of dialog:

 agent-mon: on host foo.elite.com requesting agent forwarding for
 host bar.elite.com (fingerprint matches known_hosts)
 allow? [yes/no]:

I know concepts presented along with patches are prefered, but I'm
pretty occupied at the moment and wanted to know if such a system
was feasable and/or desireable in order to protect against agent
hijacking on remote hosts.  I'm assuming one would need a "known_hosts"
entry for 'bar' on the machine running the agent to make sure
that it's not someone waiting for you to attempt to ssh to a trusted
machine then hijacks the conversation.

I'm not subscribed so be sure to CC' me on any flames. :)

thanks,
-- 
-Alfred Perlstein - [bright at wintelcom.net|alfred at freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."





More information about the openssh-unix-dev mailing list