FAS and public Key auth

Jeremy Katz katzj at redhat.com
Thu May 22 15:55:34 UTC 2008

On Thu, 2008-05-22 at 08:41 -0700, brett lentz wrote:
> On Thu, May 22, 2008 at 8:19 AM, Mike McGrath <mmcgrath at redhat.com> wrote:
> > On Thu, 22 May 2008, brett lentz wrote:
> >> The implications for ssh-agent is fairly simple. Your private key
> >> still never touches the wire or the remote systems. SSH-Agent forwards
> >> the auth challenges to the local system you're logging in from.
> >>
> >> Here's a great diagram of the process:
> >> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd
> >>
> >
> > I know your private key doesn't touch the wire or remote system.  But the
> > agent creates a socket in /tmp/ssh-* and I'm worried someone with access
> > to that socket could auth to other machines as the user.
> Yes, that's a well-known risk. The only protections on that socket are
> filesystem-level permissions, which root can obviously bypass.

And the risk isn't increased by us allowing third-party groups to do
auth via FAS.  This risk is present whenever any user logs in to another
machine with agent forwarding.  Which is requested by the user/client --
not the machine being logged into


More information about the Fedora-infrastructure-list mailing list