Date: Tue, 5 Jun 2001 19:45:14 +0200 From: Alex Holst <a@area51.dk> To: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010605194514.B98233@area51.dk> In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <3B16E7D9.3E9B78FF@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Crist Clark (crist.clark@globalstar.com):
> You cannot 'record passphrases.' RSA authentication uses public key
> cryptography.
Exactly. However, consider the three machines in the scenario below:
workstation ---> compromised middle machine ---> server
I have been thinking about the least risk approach. If the middle machine
has ssh and sshd trojaned to various degrees, would one not benefit from
using authentication forwarding rather than typing one's passphrase to the
ssh client on the compromised machine?
If one does lose his passphrase and the trojaned ssh captured the response
it still wouldn't do an intruder much good, would it?
--
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow. http://a.area51.dk/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010605194514.B98233>