FAS and public Key auth
Mike McGrath
mmcgrath at redhat.com
Thu May 22 16:22:03 UTC 2008
On Thu, 22 May 2008, Jeremy Katz wrote:
> On Thu, 2008-05-22 at 08:41 -0700, brett lentz wrote:
> > On Thu, May 22, 2008 at 8:19 AM, Mike McGrath <mmcgrath at redhat.com> wrote:
> > > On Thu, 22 May 2008, brett lentz wrote:
> > >> The implications for ssh-agent is fairly simple. Your private key
> > >> still never touches the wire or the remote systems. SSH-Agent forwards
> > >> the auth challenges to the local system you're logging in from.
> > >>
> > >> Here's a great diagram of the process:
> > >> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd
> > >>
> > >
> > > I know your private key doesn't touch the wire or remote system. But the
> > > agent creates a socket in /tmp/ssh-* and I'm worried someone with access
> > > to that socket could auth to other machines as the user.
> >
> > Yes, that's a well-known risk. The only protections on that socket are
> > filesystem-level permissions, which root can obviously bypass.
>
> And the risk isn't increased by us allowing third-party groups to do
> auth via FAS. This risk is present whenever any user logs in to another
> machine with agent forwarding. Which is requested by the user/client --
> not the machine being logged into
>
The risk does increase as far as targeting goes though. If you were to do
this type of attack right now, how would you go about doing it and what
machines would you use? If we start allowing third party machines that
have basically no barrier to entry it becomes much easier to plan and
execute the attack.
-Mike
More information about the Fedora-infrastructure-list
mailing list