Re: Making host authentication more convenient

[Marc Horowitz]

[EMAIL PROTECTED] (Niels Mvller) writes:

>> Of course, the server can't know that the agent really pays any
>> attention to that information, but I think that is a minor problem (if
>> the user wants to be sloppy, its his problem). But perhaps it could
>> stop abuse of a forwarded agent by a compromized intermediate host;
>> the server would include enough information in the challenge for the
>> local agent to recognize that things are not quite right, and then it
>> refuses signing the challenge.

I don't know how you would come up with a set of rules which would
automatically work.  How does the agent or server tell the difference
between me logging into a sensitive machine to do real work, and an
attacker using a compromised agent to log into the same sensitive
machine to do nefarious things?

                Marc