mailing list archives
Re: SSH & xauth
From: dbt () MEAT NET (David Terrell)
Date: Fri, 25 Feb 2000 14:08:21 -0800
On Thu, Feb 24, 2000 at 05:31:35PM -0500, Brian Caswell wrote:
The only thing that is required for the client system to be compromised
is for the client to remotely log via ssh (with X11 forwarding enabled)
into a compromised server.
And of course the sshd binary can be trojaned, your agent connections can
be hijacked, passwords logged, etc.
So Add ForwardAgent no to that host * stanza, only log in with an RSA
identity, and run ssh -v to see if anything weird happens.
The SSH protocol trusts the server. If you don't, tread very carefully.
David Terrell | "Any sufficiently advanced technology
Prime Minister, Nebcorp | is indistinguishable from a rigged demo."
dbt () meat net | - Brian Swetland
- SSH & xauth Brian Caswell (Feb 24)