On Thu, Sep 20, 2001 at 04:16:14PM -0400, Robert W. Brewer wrote:
> > I fail to see how agent forwarding causes a security risk. Credentials
> > still are never sent over the wire. Worst case the intervening host could
> > intercept your proof of credentials and use that to generate credentials,
> > which basically means cracking your RSA/DSA key.
>
> Here's how I think it would work. I'm trying to understand
> it better myself so I appreciate the discussion.
>
> I'm logged in on host Alice, which is my personal workstation and
> is assumed very secure. :) Now I ssh to host Maverick which
> I have an account on but which could have been broken into, or
> maybe just has a sysadmin that I don't trust.
> I think the idea is that Maverick could initiate an
> ssh connection to host Bob which I'm allowed to ssh into,
> and use my ssh-agent port (forwarded from my originating host Alice to
> Maverick) to respond to the authentication challenge from Bob.
> Now the root user on Maverick has gained acess to Bob as me.
> The root user on Maverick would not get access to my
> private key material residing in the ssh-agent
> on Alice, but he would gain access to all my files on Bob, which
> would be bad. He would only gain access for one session,
> but one session is enough to install a back door to allow
> him to get in anytime after that.
>
> So all I'm saying is that my ssh-agent is ready to respond
> to authentication challenges at any time, and it is designed
> to respond to them without notifying me so this scenario could
> happen without my knowledge. But if the ssh-agent had a command-line
> option to notify me before it responds to any challenges, or only
> remote challenges, or whatever, then I can at least detect that
> something weird is going on. It's just a compromise between
> the extremes of "disable all ssh-agent forwarding" and "enable
> all ssh-agent forwarding," namely, "enable ssh-agent forwarding
> but keep me in the loop."
I agree that's a problem, and I sent a suggestion about this back in August
of 1997 to ssh-bugs and had a brief discussion with Tero Kivinen about it.
Here's what he said:
> I assume there will be some improvements for ssh-agent in 2.0
> protocol, that would allow you to temporarely disable agent when you
> leave from your workstation, or you can change the agent to query you
> every time someone wants to authenticate something using forwarded
> agent connection (At least I have planned to implement such features).
For my company distribution I just changed the default in the 1.2.X series
to not forward agent.
- Dave Dykstra
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
