[nycbug-talk] Analyzing malicious SSH login attempts
Mischa Diehm
md at mailq.de
Sat Sep 30 15:46:04 EDT 2006
On Wed, Sep 13, 2006 at 02:23:54PM -0400, Johnny Lam wrote:
> Given the way that ssh-agent works (using sockets in /tmp/ssh-XXXXXXX),
> the disadvantage is that you have to *really* trust every intermediate
> machine through which you do agent forwarding. This is because anyone
> with root access on any machine through which you do agent forwarding
> can simply use your forwarded credentials because he can access that
> socket file.
the follwing option in ssh-add is useful in this case:
-c Indicates that added identities should be subject to confirmation
before being used for authentication. Confirmation is performed
by the SSH_ASKPASS program mentioned below. Successful confirma-
tion is signaled by a zero exit status from the SSH_ASKPASS pro-
gram, rather than text entered into the requester.
Mischa
More information about the talk
mailing list