ssh-agent security
Damien Miller
djm at mindrot.org
Tue Aug 21 11:57:40 EST 2007
On Mon, 20 Aug 2007, Michael A Stevens wrote:
> ssh-agent is a great tool that is often misconfigured with respect to agent
> forwarding. How many people running ssh-agent and doing a ssh -A have the very
> same public keys in ~/.ssh/authorized_keys of the machine they are coming
> from? ssh(1) is very clear in its warning about enabling agent forwarding. The
> simple act of prompting the user before using the key would enable them to
> determine when they key was potentially being used without their knowledge. It
> won't stop an attacker from riding on ssh sessions that a user legitimately
> forms, but it will help deter them from using the agent socket to make new
> ones either to other machines or back to the source machine. This patch is by
> no means ready to roll out to users, but any comments on it would be
> appreciated.
Alternately, you could just add your key with "ssh-add -c". The agent
will then require confirmation (via ssh-askpass) for each use of the
key.
-d
More information about the openssh-unix-dev
mailing list