FAS and public Key auth

Kostas Georgiou k.georgiou at imperial.ac.uk
Fri May 23 11:42:51 UTC 2008

On Thu, May 22, 2008 at 10:19:54AM -0500, Mike McGrath wrote:

> I know your private key doesn't touch the wire or remote system.  But the
> agent creates a socket in /tmp/ssh-* and I'm worried someone with access
> to that socket could auth to other machines as the user.

The agent *isn't* forwarded by default, you need to use either -A in the
command line or ForwardAgent yes in the config. Of course nothing stops
users from enabling agent forwarding by default but then again nothings
stops them from doinf other stupid things with ssh keys, having passwordless
keys and keeping a copy of them in some insecure location is one of the
worst examples.

For the people having agent forwarding enabled by default you already
have a problem with all the other machines that they connect anyway for
their daily work/whatever.

Running a kerberos server is a good alternative to ssh pubkey auth, you
can enforce centrally non forwardable tickets if you want so you can be
sure that other machines that the user authenticates with cannot connect
back to the fedora servers. 

Kostas Georgiou

More information about the Fedora-infrastructure-list mailing list