FAS and public Key auth

Till Maas opensource at till.name
Thu May 22 13:59:27 UTC 2008


On Thu May 22 2008, Mike McGrath wrote:

> You think mitm is fairly low but is it really?  Lets say, for example, you
> forward your ssh agent to this remote host.  What are the implications
> there?

When someone forwards the ssh agent to a machine, the root user of this 
machine can access it and use it to authenticate to other machines. Afaik, 
the only way to prevent this is to use "ssh-add -c" when adding the keys to 
the agent which makes the agent ask the user for permission everytime the key 
should be used for authentication.
But this is a problem that exists even when the FAS is not used by third 
parties, because an user can still forward his ssh-agent.

Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080522/03e81c02/attachment.sig>


More information about the Fedora-infrastructure-list mailing list