Repost: [patch] Automatically add keys to agent

Hank Leininger hlein at korelogic.com
Tue Feb 2 08:02:42 EST 2010


On 2010-01-29, joshua stein wrote:

> > Imagine an attacker has access to your account on a target system.

> then all bets are off anyway.

Oh?  On the _target_ system.  SSH'ing into a possibly compromised system
should not put your local system at risk.  That's why agent and X11
forwarding default to off in the client, sftp is preferred over scp,
etc.

[ It would be an interesting exercise to trap ^D / exit / logout, and
  present a fake originalhost$ prompt, and see what you can collect from
  someone.  From their SSH client version, you may be able to guess
  their OS's default shell & prompt.  But that's another matter. ]

> > The ways to avoid ever falling into this trap:
> > 
> > 1) Always ssh with -v, and read the verbose messages every time, so you
> >    are certain you know where the prompt originated.  Not likely.
> > 
> > 2) Always ssh-add your passphrases locally first, before ssh'ing
> >    anywhere.  For best results, set BatchMode=yes by default in
[snip]
> 
> 3) don't turn the option on.  nobody's proposing that it be on by
> default.

My point was that this was already a concern, and that those are the
ways to avoid being victimized currently.  Adding the proposed feature 
without recognizing this risk could easily lead people to enabling it
when it can get them into trouble.  I do appreciate that the proposal
is to default to 'no', but am concerned that people are talking about
the convenience with no regard to the consequences.

Thanks,

-- 

Hank Leininger <hlein at korelogic.com>
BE5D FCCA 673B D18B 98A9  3175 896E 3D4A 1B4D C5AC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 447 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100201/a361f0a4/attachment.bin>


More information about the openssh-unix-dev mailing list