vulnerability with ssh-agent

Damien Miller djm at mindrot.org
Sun Jul 18 16:14:20 EST 2004


Keld Jørn Simonsen wrote:
> I have taken the sources and done a little hacking, and I noticed a
> remark that the encryption of sensitive information in ssh-agent was a
> "TODO". So somebody else than me, and with some status in the project,
> enough to make comment on what to do, has also considered it a good
> idea, to encrypt keys and other stuff.

It is a broken TODO then, because there is no way to do it. Sure, you
can have the agent encrypt its memory, but it also has to store the key,
so this is just an obscurity measure.

Don't expose your keys to a system that you don't trust (I'd hope that
this is just common sense).

-d




More information about the openssh-unix-dev mailing list