Date: Fri, 1 Jun 2001 04:23:47 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Crist Clark <crist.clark@globalstar.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601042347.C90738@mail.webmonster.de> In-Reply-To: <3B16F3DD.E57AF761@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 06:46:05PM -0700 References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <3B16E7D9.3E9B78FF@globalstar.com> <20010601031131.K85717@mail.webmonster.de> <3B16F3DD.E57AF761@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--O3RTKUHj+75w1tg5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Crist Clark(crist.clark@globalstar.com)@2001.05.31 18:46:05 +0000: > "Karsten W. Rohrbach" wrote: > >=20 > > Crist Clark(crist.clark@globalstar.com)@2001.05.31 17:54:49 +0000: > > > *sigh* > > > > > > You cannot 'record passphrases.' RSA authentication uses public key > > > cryptography. The client, the person logging in, proves it knows a > > > secret, the private key, without ever revealing it to the server who > > > only knows the public key. > > > > > *sigh* > >=20 > > fopen() does not have rsa support (thank god) > > btw, the ssh-agent(1) holds the _decrypted_ key you opened with > > ssh-add(1), entering your passphrase that went via a fd from ssh-askpass > > to ssh-add. >=20 > Yep. It does. So? if you ssh to the untrusted box, have your .ssh/identity there (no good practice but a lot of people do it) ssh asks you to enter the passphrase. with a modified ssh binary an attacker would have the=20 passphrase. thus, he could obtain the decrypted identity/key. >=20 > > > The use of public key crypto allows you to log into potentially > > > untrusted servers without revealing your secret. > > hopping a host you got to take care of the ssh binary handling your > > auth token connecting to another - untrusted - server. thus, the binary > > is also potentially untrusted. > > also the ssh ForwardAgent option is potentially dangerous, then. > > portforwarding, too. >=20 > You misunderstand what agent forwarding is. Your private RSA key does > NOT leave your local machine. Agent forwarding means that remote requests > for the agents help will be forwarded to the local machine. When you > are logged into a remote machine and do some action that requires the > agent's help, the data is forwarded to the local agent, it does whatever > magic is done, and the result of the action is passed back along to=20 > the remote machine. Note, the _result of the action_ is passed along, > your private key is NOT passed to the remote server. >=20 > Read the Ylonen SSH draft, specifically the section, "The Authentication= =20 > Agent Protocol," for details. reading the source, i see that the agent itself does all the signing. i should have looked into ssh-agent.c first :-) in this case, agent forwarding has the preference over storing crypted identity on a remote host *grin* anyway, portforwarding could at least lead to session dos attacks i think. /k --=20 > "Niklaus Wirth has lamented that, whereas Europeans pronounce his name > correctly (Ni-klows Virt), Americans invariably mangle it into > (Nick-les Worth). Which is to say that Europeans call him by name, but > Americans call him by value." KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --O3RTKUHj+75w1tg5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FvyzM0BPTilkv0YRAp6RAJ9C5SU/JfelAwgGimnBhniM25VIQACdG2PS 45KhSQW05oH6itGcXES03xo= =gTZv -----END PGP SIGNATURE----- --O3RTKUHj+75w1tg5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010601042347.C90738>