question about pubkey and passphrase
Jochen.Bern at binect.de
Tue Feb 11 08:14:14 AEDT 2020
(Anonymizing the reply I received as the sender apparently chose not to
send it to the list.)
On 02/10/2020 07:30 PM, [someone] wrote:
> On Feb 10, 2020, at 10:03 AM, Jochen Bern <Jochen.Bern at binect.de> wrote:
>> In particular in the case of ssh-agent [...]
> Yes, but if there is an ssh-agent running and you have a root process, you
> could query the keys in it.
A root process on the client machine should be able to record the
passphrase as the user types it, to name but one option, so that's
pretty much a "game over" situation - short of having the privkey
operations moved to a hardware token with its own input device.
An attacker on the client machine who can merely *communicate* with the
running ssh-agent should not be able to *extract* any privkeys from it.
He can try to *use* them, though - and that's why I advocate to always
use the -c and -t options of ssh-add.
(Not that I would be likely to notice if the attacker were to slip in
one confirmation popup *right* when I'm, e.g., distributing a file to a
couple dozen target machines every once in a while, though. If the popup
were to state the target machine/account, it would be more helpful to me
than now, showing the keypair about to be used.)
(FWIW, I'm using Ksshaskpass and OpenSSH's ssh-agent + ssh-add. IIRC
I've once seen a system/distrib where even the agent was *not*
OpenSSH's, in spite of it using OpenSSH ssh and sshd.)
>> Note, however, that offhand, I cannot find a command that allows you to
>> derive a pubkey from a privkey,
> Presuming you have the key for the privkey you may use
> ssh-keygen -y -f .ssh/id_ecdsa
Ah, I missed the -y option when I skimmed the manpage, thanks ...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
More information about the openssh-unix-dev