FAS and public Key auth

brett lentz wakko666 at gmail.com
Thu May 22 15:41:09 UTC 2008

On Thu, May 22, 2008 at 8:19 AM, Mike McGrath <mmcgrath at redhat.com> wrote:
> On Thu, 22 May 2008, brett lentz wrote:
>> The implications for ssh-agent is fairly simple. Your private key
>> still never touches the wire or the remote systems. SSH-Agent forwards
>> the auth challenges to the local system you're logging in from.
>> Here's a great diagram of the process:
>> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd
> I know your private key doesn't touch the wire or remote system.  But the
> agent creates a socket in /tmp/ssh-* and I'm worried someone with access
> to that socket could auth to other machines as the user.

Yes, that's a well-known risk. The only protections on that socket are
filesystem-level permissions, which root can obviously bypass.

The only mechanism I'm aware of that could revoke root's ability to
access that file is selinux. However, current policy still allows root
to do whatever he likes.

I don't think it's possible to dictate a "don't use ssh-agent" policy.
That seems unenforceable.

This is where I come back to the assurance bit. As you said, that can
get a bit complicated and hard to manage on systems that aren't ours.

>        -Mike


More information about the Fedora-infrastructure-list mailing list