Disabling Password-based auth? (was RE: recent breakins)

douglas.manton at uk.ibm.com douglas.manton at uk.ibm.com
Sat Jun 2 00:10:57 EST 2001




> There is no effective
> way for any authentication information from the first
> session to be passed to the second, in my mind.

SSH agent forwarding allows authentication challenges to be securely
forwarded back to your local machine.  The intermediary client acts as a
proxy and does not benefit from watching the authentication
challenge/response pass by.

Of course, it does then have access to the remote machine for that
session.  The trojan SSH client could always take this opportunity to add
another public key to allow 3rd party access...

--------------------------------------------------------
  Doug Manton, AT&T EMEA Commercial Security Solutions

               E:  demanton at att.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"





More information about the openssh-unix-dev mailing list