vulnerability with ssh-agent
Ben Lindstrom
mouring at etoh.eviladmin.org
Mon Jul 19 04:21:42 EST 2004
On Sun, 18 Jul 2004, Keld [iso-8859-1] Jørn Simonsen wrote:
> On Sat, Jul 17, 2004 at 09:05:38PM -0500, Ben Lindstrom wrote:
> >
> > Sounds like ssh-agent coundn't talk to the askpass program for gnome/x11.
> > As a result ssh-agent returns a denied and ssh falls back to prompting you
> > for the passphrase of the key.
>
> Yes, that was true, and I installed gnome-ssh-askpass and set the shell
> variable. Then it worked. But, but. I would like that it was not ssh
> that initiated this verification, instead it should be ssh-agent.
Please take this up with the IETF if you don't agree with it. This is how
the RFC drafts are written, and to change would break compatibility with
every other SSH server in the world.
> And ssh should not default to asking for key/passwd, when programs are
> not found, it should be the job of ssh-agent IMHO.
>
I like most don't agree, but you don't seem to get the reason for
ssh-agent in the first place. ssh-agent is there to allow you to safely
(for SHORT periods in time) decrypt your private key for verification.
If all you are doing is using one key to login your remote shell server
every once in a while then ssh-agent is not the correct tool. It is used
for short bursts of setting up large amount of connections.
Or in the case of most developers long CVS ci/co sessions while coding.
- Ben
More information about the openssh-unix-dev
mailing list