OpenSSH daemon security bug?
Davi Diaz
davi at leals.com
Thu Jan 7 05:29:59 EST 2010
Daniel Kahn Gillmor wrote:
> "ssh -A" *will* expose the ability to *use* the private key to
> the remote host, unless your agent is configured to prompt the user
> before using the key ("ssh-add -c").
>
> So [...] the remote host [...] will have effective access to the key.
> See Matt Taggart's "Good Practices for ssh" for more tips:
> http://lackof.org/taggart/hacking/ssh/
In my opinion this is a misfeature which removes any good from key based
security because you depend on good practices.
Back to use account-passwords access only.
More information about the openssh-unix-dev
mailing list