vulnerability with ssh-agent
Keld Jørn Simonsen
keld at dkuug.dk
Mon Jul 19 02:44:55 EST 2004
On Sat, Jul 17, 2004 at 09:05:38PM -0500, Ben Lindstrom wrote:
>
> Sounds like ssh-agent coundn't talk to the askpass program for gnome/x11.
> As a result ssh-agent returns a denied and ssh falls back to prompting you
> for the passphrase of the key.
Yes, that was true, and I installed gnome-ssh-askpass and set the shell
variable. Then it worked. But, but. I would like that it was not ssh
that initiated this verification, instead it should be ssh-agent.
And ssh should not default to asking for key/passwd, when programs are
not found, it should be the job of ssh-agent IMHO.
A scenario: somebody has cracked my password, and can log in as a
normal user on my home server over the internet. With an open ssh-agent he
can log in further to my other servers. If it was the ssh-agent's job to
ask for the confirmation then I would get a notice at my X window and I
would not grant the intruder. That would mean that ssh-agent at some
time would get the information that a specific ssh-askpass program
should be used. Maybe this would be at launch time of ssh-agent, maybe
that would be when invoking ssh-add -c (or what option this feature
should have).
This would also give me a modest shield against a root intruder doing
the same thing.
Best regards
Keld
More information about the openssh-unix-dev
mailing list