From owner-freebsd-security  Fri Jun  1  2:35:27 2001
Delivered-To: freebsd-security@freebsd.org
Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77])
	by hub.freebsd.org (Postfix) with ESMTP id E0B7337B422
	for <freebsd-security@FreeBSD.ORG>; Fri,  1 Jun 2001 02:35:24 -0700 (PDT)
	(envelope-from borjam@sarenet.es)
Received: from borja.sarenet.es (localhost [127.0.0.1])
	by borja.sarenet.es (8.11.3/8.11.3) with SMTP id f519ZM088423;
	Fri, 1 Jun 2001 11:35:22 +0200 (CEST)
	(envelope-from borjam@sarenet.es)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Borja Marcos <borjamar@sarenet.es>
To: Kris Kennaway <kris@obsecurity.org>
Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd)
Date: Fri, 1 Jun 2001 11:35:22 +0200
X-Mailer: KMail [version 1.2]
Cc: freebsd-security@FreeBSD.ORG
References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <01060109174003.87883@borja.sarenet.es> <20010601023051.A54447@xor.obsecurity.org>
In-Reply-To: <20010601023051.A54447@xor.obsecurity.org>
MIME-Version: 1.0
Message-Id: <0106011135220C.87883@borja.sarenet.es>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Friday 01 June 2001 11:30, Kris Kennaway wrote:
 But B can request that A authenticate you to any other host, at any
> time during the lifetime of the A-B agent forwarding connection, using
> your RSA key on A.  Even though B can't get your key itself, it can
> authenticate as you as often as it likes, to as many systems as it
> likes, as long as that agent forwarding channel is available.  That's
> the next best thing, because when you obtain access to a system once,
> in general (not always) it's fairly easy to retain access
> indefinitely.

	Of course. That't why I want an external device. Something like an iButton, 
which you could plug *only* whenever you want to authenticate. Once 
authenticated, you disconnect it and the agent can no longer authenticate.

	Now I am playing with an HP calculator. It could be a fairly acceptable 
solution to store the keys and authenticate, and the screen could warn the 
user (and ask for a password) whenever a remote authentication request 
arrives.


	Borja.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message