Date: Fri, 1 Jun 2001 16:19:51 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Kris Kennaway <kris@obsecurity.org> Cc: Crist Clark <crist.clark@globalstar.com>, security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601161951.F10477@mail.webmonster.de> In-Reply-To: <20010531193555.A13334@xor.obsecurity.org>; from kris@obsecurity.org on Thu, May 31, 2001 at 07:35:55PM -0700 References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010531193555.A13334@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--rWhLK7VZz0iBluhq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kris Kennaway(kris@obsecurity.org)@2001.05.31 19:35:55 +0000: > On Thu, May 31, 2001 at 07:25:22PM -0700, Crist Clark wrote: >=20 > > According to the documentation, this is NOT how the agent forwarding > > works. The second client passes data, typically a challenge, back to=20 > > machine one, where the agent does its thing with the private key=20 > > material, then passes the decrypted challenge information back to > > machine two. >=20 > Okay, I'm willing to admit I could be wrong about the mechanism, but > the trust relationship still exists. The ssh-agent authenticates on > demand, so as long as you're connected to the untrusted system it can > authenticate as you to other systems without your permission. this does not lead to a big tragedy since the agent protocol is challenge-response. a challenge is sent by the remote peer, the agent signs it using the local identity and send the response back to the remote peer. the remote side checks the signed response against the public key and if it matches c'est ca. if this way of authentication has to be considered dangerous, public key crypto is, since you could not give away you public key, then ;-) the private key is never ever presented to an entity on a remote system. /k --=20 > "There is a God, but He drinks" --Blore KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --rWhLK7VZz0iBluhq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F6SHM0BPTilkv0YRAtCcAJ96C7yhKcLHgALHN1LUwntevro44wCgkXGB yoktSAoJpZTx/NTK/P/Hi/4= =20O6 -----END PGP SIGNATURE----- --rWhLK7VZz0iBluhq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010601161951.F10477>