From owner-freebsd-security Tue Jun 5 10:45: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from f-control.area51.dk (f-control.area51.dk [213.237.108.10]) by hub.freebsd.org (Postfix) with SMTP id 2E00B37B406 for ; Tue, 5 Jun 2001 10:45:03 -0700 (PDT) (envelope-from a@f-control.area51.dk) Received: (qmail 98421 invoked by uid 1007); 5 Jun 2001 17:45:14 -0000 Date: Tue, 5 Jun 2001 19:45:14 +0200 From: Alex Holst To: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010605194514.B98233@area51.dk> Mail-Followup-To: Alex Holst , freebsd-security@FreeBSD.ORG References: <3B16E7D9.3E9B78FF@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Crist Clark (crist.clark@globalstar.com): > You cannot 'record passphrases.' RSA authentication uses public key > cryptography. Exactly. However, consider the three machines in the scenario below: workstation ---> compromised middle machine ---> server I have been thinking about the least risk approach. If the middle machine has ssh and sshd trojaned to various degrees, would one not benefit from using authentication forwarding rather than typing one's passphrase to the ssh client on the compromised machine? If one does lose his passphrase and the trojaned ssh captured the response it still wouldn't do an intruder much good, would it? -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message