vulnerability with ssh-agent

Keld Jørn Simonsen keld at dkuug.dk
Mon Jul 19 10:28:47 EST 2004


On Mon, Jul 19, 2004 at 07:47:32AM +1000, Damien Miller wrote:
> Keld Jørn Simonsen wrote:
> 
> > A scenario: somebody has cracked my password, and can log in as a
> > normal user on my home server over the internet. With an open ssh-agent he
> > can log in further to my other servers. If it was the ssh-agent's job to
> > ask for the confirmation then I would get a notice at my X window and I
> > would not grant the intruder.  That would mean that ssh-agent at some
> > time would get the information that a specific ssh-askpass program
> > should be used. Maybe this would be at launch time of ssh-agent, maybe
> > that would be when invoking ssh-add -c (or what option this feature
> > should have).
> 
> This is what happens now. Please read and understand the manpages.

Yes, this is how it works. Got it working now! Thanks for your patience
with me. In some sense it is good to know that the way I wanted it to
work, is the way it actually works. Then I am not totally off target.

I will add a recommendation of using ssh-add -c </dev/null
in my writeup, so your help is probably going to help quite some people.

Best regards
Keld




More information about the openssh-unix-dev mailing list