vulnerability with ssh-agent
Darren Tucker
dtucker at zip.com.au
Fri Jul 16 18:35:10 EST 2004
Damien Miller wrote:
> No, because there is no agent running there, just sshd relaying a
> connection. Use "ssh-add -c" if you are paranoid about unauthorised
> agent use (I do).
I also have a patch somewhere that adds an escape (~A) to ssh that
toggles reponses to agent forward requests. You can connect with it
enabled, then disable/enable it as you require it.
It would also be possible to add an option like "ForwardAgent passive"
to set up the connection with request forwarding enabled, but responses
disabled, so it would need to be enabled via the toggle before it could
be used.
[digs through patch dir] found it, attached.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-disable-agentfwd2.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040716/3dc7253e/attachment.ksh
More information about the openssh-unix-dev
mailing list