> I fail to see how agent forwarding causes a security risk. Credentials
> still are never sent over the wire. Worst case the intervening host could
> intercept your proof of credentials and use that to generate credentials,
> which basically means cracking your RSA/DSA key.
Here's how I think it would work. I'm trying to understand
it better myself so I appreciate the discussion.
I'm logged in on host Alice, which is my personal workstation and
is assumed very secure. :) Now I ssh to host Maverick which
I have an account on but which could have been broken into, or
maybe just has a sysadmin that I don't trust.
I think the idea is that Maverick could initiate an
ssh connection to host Bob which I'm allowed to ssh into,
and use my ssh-agent port (forwarded from my originating host Alice to
Maverick) to respond to the authentication challenge from Bob.
Now the root user on Maverick has gained acess to Bob as me.
The root user on Maverick would not get access to my
private key material residing in the ssh-agent
on Alice, but he would gain access to all my files on Bob, which
would be bad. He would only gain access for one session,
but one session is enough to install a back door to allow
him to get in anytime after that.
So all I'm saying is that my ssh-agent is ready to respond
to authentication challenges at any time, and it is designed
to respond to them without notifying me so this scenario could
happen without my knowledge. But if the ssh-agent had a command-line
option to notify me before it responds to any challenges, or only
remote challenges, or whatever, then I can at least detect that
something weird is going on. It's just a compromise between
the extremes of "disable all ssh-agent forwarding" and "enable
all ssh-agent forwarding," namely, "enable ssh-agent forwarding
but keep me in the loop."
-Rob
--
Robert W. Brewer
Jesus rules!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
