question about pubkey and passphrase

Jochen Bern Jochen.Bern at binect.de
Tue Feb 11 08:14:14 AEDT 2020 

(Anonymizing the reply I received as the sender apparently chose not to
send it to the list.)

On 02/10/2020 07:30 PM, [someone] wrote:
> On Feb 10, 2020, at 10:03 AM, Jochen Bern <Jochen.Bern at binect.de> wrote:
>> In particular in the case of ssh-agent [...]
> 
> Yes, but if there is an ssh-agent running and you have a root process, you
> could query the keys in it.

A root process on the client machine should be able to record the
passphrase as the user types it, to name but one option, so that's
pretty much a "game over" situation - short of having the privkey
operations moved to a hardware token with its own input device.

An attacker on the client machine who can merely *communicate* with the
running ssh-agent should not be able to *extract* any privkeys from it.
He can try to *use* them, though - and that's why I advocate to always
use the -c and -t options of ssh-add.

(Not that I would be likely to notice if the attacker were to slip in
one confirmation popup *right* when I'm, e.g., distributing a file to a
couple dozen target machines every once in a while, though. If the popup
were to state the target machine/account, it would be more helpful to me
than now, showing the keypair about to be used.)

(FWIW, I'm using Ksshaskpass and OpenSSH's ssh-agent + ssh-add. IIRC
I've once seen a system/distrib where even the agent was *not*
OpenSSH's, in spite of it using OpenSSH ssh and sshd.)

>> Note, however, that offhand, I cannot find a command that allows you to
>> derive a pubkey from a privkey,
> 
> Presuming you have the key for the privkey you may use
>   ssh-keygen -y -f .ssh/id_ecdsa

Ah, I missed the -y option when I skimmed the manpage, thanks ...

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200210/4414eec7/attachment.p7s>

More information about the openssh-unix-dev mailing list