Date: Fri, 1 Jun 2001 03:11:31 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Crist Clark <crist.clark@globalstar.com> Cc: "f.johan.beisser" <jan@caustic.org>, Alex Holst <a@area51.dk>, freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601031131.K85717@mail.webmonster.de> In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <3B16E7D9.3E9B78FF@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--m0XfRaZG5aslkcJX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Crist Clark(crist.clark@globalstar.com)@2001.05.31 17:54:49 +0000: > *sigh* >=20 > You cannot 'record passphrases.' RSA authentication uses public key > cryptography. The client, the person logging in, proves it knows a=20 > secret, the private key, without ever revealing it to the server who > only knows the public key. >=20 *sigh*=20 fopen() does not have rsa support (thank god) btw, the ssh-agent(1) holds the _decrypted_ key you opened with=20 ssh-add(1), entering your passphrase that went via a fd from ssh-askpass=20 to ssh-add. > The use of public key crypto allows you to log into potentially=20 > untrusted servers without revealing your secret. hopping a host you got to take care of the ssh binary handling your auth token connecting to another - untrusted - server. thus, the binary is also potentially untrusted. also the ssh ForwardAgent option is potentially dangerous, then. portforwarding, too. /k --=20 > "The path of excess leads to the tower of wisdom." --W. Blake KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --m0XfRaZG5aslkcJX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FuvDM0BPTilkv0YRAts/AJ0S0OM+hwTS5PrM7b/jhSLlF9LXdgCfT0P5 fxXrZTG5zG/g4Bj1PKvCcpk= =n4Vn -----END PGP SIGNATURE----- --m0XfRaZG5aslkcJX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010601031131.K85717>