Date: Thu, 31 May 2001 19:10:01 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Crist Clark <crist.clark@globalstar.com> Cc: security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010531191001.A12808@xor.obsecurity.org> In-Reply-To: <3B16F492.128CB8B0@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 06:49:06PM -0700 References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 31, 2001 at 06:49:06PM -0700, Crist Clark wrote: > Kris Kennaway wrote: > >=20 > > On Thu, May 31, 2001 at 05:54:49PM -0700, Crist Clark wrote: > >=20 > > > *sigh* > > > > > > You cannot 'record passphrases.' RSA authentication uses public key > > > cryptography. The client, the person logging in, proves it knows a > > > secret, the private key, without ever revealing it to the server who > > > only knows the public key. > >=20 > > The ssh client on the sourceforge machine was trojaned; >=20 > A lot of people SSH _out_ of the sourceforge machine(s)? And they do > so by typing a passphrase on that machine as opposed to agent forwarding? Apparently so. I believe agent forwarding still exposes the problem: it basically sets up a trust relationship with the remote system which allows processes running as you on the target machine to access the keys stored in the original ssh-agent on your source machine. i.e. in order to authenticate from the second machine to a third when agent forwarding is enabled from machine one to machine two, the second client requests a copy of your decrypted credentials which are stored in the ssh-agent on the first, and uses them as it pleases (ideally, only to authenticate -- once, and according to your directions -- with the third system). The moral of the story is to never initiate SSH connections from untrusted machines, no matter how you do it, because you expose your private credentials to that system (unless you use something like OPIE where you don't need to actually expose your credentials to authenticate, just prove that you have them): always make them from a machine you can reasonably trust not to be compromised (or use something like OPIE :-). The perhaps less obvious moral is to never connect to an untrusted system with agent forwarding enabled -- no matter what you do on the untrusted system -- otherwise that system can still steal your identity as described above. This is why the OpenSSH client disables agent forwarding by default (contrary to what the defaults seem to say in /etc/ssh/ssh_config, but as correctly documented in the manpage). Kris --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Fvl5Wry0BWjoQKURAtXpAKC45vRIVhsNxR5qyJ+yzzrlZonQmgCeJHZX GIDXnFRrkFQcgJxfXBXz+nw= =SzmW -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010531191001.A12808>