Julian Gilbey <[EMAIL PROTECTED]> writes: > On my home machine, I have an identity in .ssh/identity.pub. > I copied that into .ssh/authorized_keys on master (possibly using the > LDAP system). > I *also* copied it into .ssh/authorized_keys on my home machine. > > That extra copy on my home machine (somehow) allows root to snoop my > identity and so get into my home machine without a password.
This is only possible if you used ssh-agent at some point, and had "agent forwarding" turned on at this time (this may be turned on by default). If you never use the agent, you're not at risk. > Solution: remove the identity from .ssh/authorized_keys on my home > machine. Note that *any* keys that your agent holds can be snarfed by the admin(s) of any hosts where you ssh-in with agent forwarding enabled. -- Robbe