Date: Sat, 2 Jun 2001 08:57:05 -0700 From: Michael Han <mikehan@mikehan.com> To: "Karsten W. Rohrbach" <karsten@rohrbach.de> Cc: security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010602085705.A3799@giles.mikehan.com> In-Reply-To: <20010602155302.A56136@mail.webmonster.de>; from karsten@rohrbach.de on Sat, Jun 02, 2001 at 03:53:02PM %2B0200 References: <20010601143755.B88206@xor.obsecurity.org> <Pine.NEB.3.96L.1010602083607.65702I-100000@fledge.watson.org> <20010602155302.A56136@mail.webmonster.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 02, 2001 at 03:53:02PM +0200, Karsten W. Rohrbach wrote: > > > Note also that in a multiple-key scenario, the SSH client provides no way > > to selectively forward keys to hosts, or express policy regarding whether > > keys are then forwarded by the host you have connected to. > would it be very hard to add this functionality? > where would the policies be stored? > storing them in the identity would require changing the key file format, > so i guess something like an agent configuration would make sense. There's already a good precedent for this. $HOME/.ssh/config , which is where I decide which hosts I connect to are trusted (override ForwardX11 no and ForwardAgent no if desirable). So if someone thought of a new configuration command, like "ForwardAgentKeys" which took a list of fingerprints or something, that'd actually be a pretty straightforward iway to do this. My biggest complaint with ssh (though it's also quite nice) is the way it punts so many security issues to the user. As an admin, that choice makes it difficult to control the security policy on the network, and occassionally scares me, since most users don't really seem to be very concerned about security, yes ssh happily punts security policy issues to them. -- mikehan@mikehan.com http://www.mikehan.com/ coffee achiever San Francisco, California The life uncaffeinated is not worth living. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010602085705.A3799>