From owner-freebsd-security  Fri Jun  1  1:29:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77])
	by hub.freebsd.org (Postfix) with ESMTP id CB68B37B422
	for <freebsd-security@freebsd.org>; Fri,  1 Jun 2001 01:29:18 -0700 (PDT)
	(envelope-from borjam@sarenet.es)
Received: from borja.sarenet.es (localhost [127.0.0.1])
	by borja.sarenet.es (8.11.3/8.11.3) with SMTP id f518TH088229
	for <freebsd-security@freebsd.org>; Fri, 1 Jun 2001 10:29:17 +0200 (CEST)
	(envelope-from borjam@sarenet.es)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Borja Marcos <borjamar@sarenet.es>
To: freebsd-security@freebsd.org
Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd)
Date: Fri, 1 Jun 2001 10:29:17 +0200
X-Mailer: KMail [version 1.2]
References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org>
In-Reply-To: <20010531191001.A12808@xor.obsecurity.org>
MIME-Version: 1.0
Message-Id: <01060109230204.87883@borja.sarenet.es>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Friday 01 June 2001 04:10, you wrote:
> I believe agent forwarding still exposes the problem: it basically
> sets up a trust relationship with the remote system which allows
> processes running as you on the target machine to access the keys
> stored in the original ssh-agent on your source machine.
>
> i.e. in order to authenticate from the second machine to a third when
> agent forwarding is enabled from machine one to machine two, the
> second client requests a copy of your decrypted credentials which are
> stored in the ssh-agent on the first, and uses them as it pleases
> (ideally, only to authenticate -- once, and according to your
> directions -- with the third system).

	Are you sure? I understand that the challenge encryption is done at the 
first system (by the authentication agent) and the private key is *not* sent 
to anywhere. If that were the case, the authentication agent would have no 
useful purpose!

	Of course, a problem remains; it might be possible to start connections from 
the second system to the third using the forwarded authentication, but the 
use of an external device storing the keys would make it more difficult.



	Borja.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message