Date: Thu, 31 May 2001 18:46:05 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: "Karsten W. Rohrbach" <karsten@rohrbach.de> Cc: "f.johan.beisser" <jan@caustic.org>, Alex Holst <a@area51.dk>, freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <3B16F3DD.E57AF761@globalstar.com> References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <3B16E7D9.3E9B78FF@globalstar.com> <20010601031131.K85717@mail.webmonster.de>
next in thread | previous in thread | raw e-mail | index | archive | help
"Karsten W. Rohrbach" wrote: > > Crist Clark(crist.clark@globalstar.com)@2001.05.31 17:54:49 +0000: > > *sigh* > > > > You cannot 'record passphrases.' RSA authentication uses public key > > cryptography. The client, the person logging in, proves it knows a > > secret, the private key, without ever revealing it to the server who > > only knows the public key. > > > *sigh* > > fopen() does not have rsa support (thank god) > btw, the ssh-agent(1) holds the _decrypted_ key you opened with > ssh-add(1), entering your passphrase that went via a fd from ssh-askpass > to ssh-add. Yep. It does. So? > > The use of public key crypto allows you to log into potentially > > untrusted servers without revealing your secret. > hopping a host you got to take care of the ssh binary handling your > auth token connecting to another - untrusted - server. thus, the binary > is also potentially untrusted. > also the ssh ForwardAgent option is potentially dangerous, then. > portforwarding, too. You misunderstand what agent forwarding is. Your private RSA key does NOT leave your local machine. Agent forwarding means that remote requests for the agents help will be forwarded to the local machine. When you are logged into a remote machine and do some action that requires the agent's help, the data is forwarded to the local agent, it does whatever magic is done, and the result of the action is passed back along to the remote machine. Note, the _result of the action_ is passed along, your private key is NOT passed to the remote server. Read the Ylonen SSH draft, specifically the section, "The Authentication Agent Protocol," for details. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B16F3DD.E57AF761>