From owner-freebsd-security Fri Jun 1 7:23:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 46D0F37B449 for ; Fri, 1 Jun 2001 07:23:06 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 12224 invoked by uid 1000); 1 Jun 2001 14:23:27 -0000 Date: Fri, 1 Jun 2001 16:23:27 +0200 From: "Karsten W. Rohrbach" To: Michael Han Cc: Crist Clark , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601162327.G10477@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Michael Han , Crist Clark , security@FreeBSD.org References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010601012133.A1203@giles.mikehan.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="L+ofChggJdETEG3Y" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010601012133.A1203@giles.mikehan.com>; from mikehan@mikehan.com on Fri, Jun 01, 2001 at 01:21:33AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --L+ofChggJdETEG3Y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Michael Han(mikehan@mikehan.com)@2001.06.01 01:21:33 +0000: > Crist, I believe your analysis is correct WRT decrypted keys or > passphrases *not* being available except by compromising the > originating client hosting the first ssh-agent in a chain. However, > Kris is correct, as I understand agent forwarding, in that if you > forward your agent from trusted host A to untrusted host B, a rogue > superuser on B could copy your SSH_AUTH_SOCK environment and begin > passing RSA key requests back to your agent on A. There *is* a > vulnerability introduced by forwarding your agent to an untrusted > host, which is why I do not usually forward my agent. I try to give my > understanding of these issues in > http://www.mikehan.com/ssh/security.html this would be a standard man in the middle attack, right? capturing the challenge from one machine passing it (as root) to the agent, getting the response packet back and passing it on to the to-be-broken-in server should not work due to session keying, should'nt it? /k --=20 > 71: 69 with two fingers up your ass. --George Carlin KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --L+ofChggJdETEG3Y Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F6VfM0BPTilkv0YRAp9cAKC+yvTjO/TUhJy55p6VVxbTe6xDMgCdGQ8I +6k7TzpUlFNHqHRfg0FIeco= =a1Cr -----END PGP SIGNATURE----- --L+ofChggJdETEG3Y-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message