[nycbug-talk] Analyzing malicious SSH login attempts

Johnny Lam jlam at pkgsrc.org
Wed Sep 13 14:23:54 EDT 2006


David Lawson wrote:
> 
> My experience has been that a passphrase protected ssh key with a  
> management agent (SSHKeychain in my case), makes managing secure  
> access to large numbers of machines vastly, vastly simpler than it  
> would be using passwords.   Some of that, I think, will vary  
> depending on your working environment and needs, but in general I've  
> become a huge fan of keys and agent forwarding over the last few  
> years, so personally I can't really think of a good argument  
> _against_ using keys to do authentication, though I'd be interested  
> to hear one if one exists.

Given the way that ssh-agent works (using sockets in /tmp/ssh-XXXXXXX),
the disadvantage is that you have to *really* trust every intermediate
machine through which you do agent forwarding.  This is because anyone
with root access on any machine through which you do agent forwarding
can simply use your forwarded credentials because he can access that
socket file.

I personally do use agent forwarding, but with the above understanding 
about trust.

	Cheers,

	-- Johnny Lam <jlam at pkgsrc.org>



More information about the talk mailing list