Repost: [patch] Automatically add keys to agent
joshua stein
jcs at jcs.org
Fri Jan 29 12:05:42 EST 2010
> Imagine an attacker has access to your account on a target system.
then all bets are off anyway.
> The ways to avoid ever falling into this trap:
>
> 1) Always ssh with -v, and read the verbose messages every time, so you
> are certain you know where the prompt originated. Not likely.
>
> 2) Always ssh-add your passphrases locally first, before ssh'ing
> anywhere. For best results, set BatchMode=yes by default in
> ~/.ssh/config so that you will never ever ever be prompted
> legitimately; the connection will simply fail until you remember
> to ssh-add. Therefore any time you are ever prompted when ssh'ing
> somewhere, you are being messed with.
3) don't turn the option on. nobody's proposing that it be on by
default.
More information about the openssh-unix-dev
mailing list