From owner-freebsd-security Thu May 31 18:11:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id EF20137B422 for ; Thu, 31 May 2001 18:11:10 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 90201 invoked by uid 1000); 1 Jun 2001 01:11:31 -0000 Date: Fri, 1 Jun 2001 03:11:31 +0200 From: "Karsten W. Rohrbach" To: Crist Clark Cc: "f.johan.beisser" , Alex Holst , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601031131.K85717@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Crist Clark , "f.johan.beisser" , Alex Holst , freebsd-security@FreeBSD.ORG References: <3B16E7D9.3E9B78FF@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="m0XfRaZG5aslkcJX" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --m0XfRaZG5aslkcJX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Crist Clark(crist.clark@globalstar.com)@2001.05.31 17:54:49 +0000: > *sigh* >=20 > You cannot 'record passphrases.' RSA authentication uses public key > cryptography. The client, the person logging in, proves it knows a=20 > secret, the private key, without ever revealing it to the server who > only knows the public key. >=20 *sigh*=20 fopen() does not have rsa support (thank god) btw, the ssh-agent(1) holds the _decrypted_ key you opened with=20 ssh-add(1), entering your passphrase that went via a fd from ssh-askpass=20 to ssh-add. > The use of public key crypto allows you to log into potentially=20 > untrusted servers without revealing your secret. hopping a host you got to take care of the ssh binary handling your auth token connecting to another - untrusted - server. thus, the binary is also potentially untrusted. also the ssh ForwardAgent option is potentially dangerous, then. portforwarding, too. /k --=20 > "The path of excess leads to the tower of wisdom." --W. Blake KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --m0XfRaZG5aslkcJX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FuvDM0BPTilkv0YRAts/AJ0S0OM+hwTS5PrM7b/jhSLlF9LXdgCfT0P5 fxXrZTG5zG/g4Bj1PKvCcpk= =n4Vn -----END PGP SIGNATURE----- --m0XfRaZG5aslkcJX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message