> Thanks for the idea. However, ssh-agent has to speak the ssh-agent
> challenge-response protocol, and provides no way to call out to another
> program for pass-phrases. So hooking it up to quintuple-agent would
> require some work, I believe.
it would be easier to hack ssh-agent to pop up a mes
On Wed, Nov 03, 2004 at 10:17:22AM +, Marcus Williams wrote:
> On 03/11/2004, Andrew Pimlott wrote:
> > Do you have such a thing? I would absolutely love an ssh agent that
> > only asks for pass-phrases as needed, times them out eventually, and
> > can prompt before answering a challenge.
>
>
On 03/11/2004, Andrew Pimlott wrote:
> Do you have such a thing? I would absolutely love an ssh agent that
> only asks for pass-phrases as needed, times them out eventually, and
> can prompt before answering a challenge.
quintuple-agent does something like this. Not sure if it supports ssh
or not
On Tue, Nov 02, 2004 at 10:14:37AM -0200, Henrique de Moraes Holschuh wrote:
> (and if you are as paranoid as you
> should, you're using an agent that ASKS before doing any work).
Do you have such a thing? I would absolutely love an ssh agent that
only asks for pass-phrases as needed, times them
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.11.02.1314 +0100]:
> It should not be possible to retrieve key material from the agent,
> ever. And the whole setup should not be vulnerable to replay
> attacks when using protocol 2 either.
>
> Are you *completely* sure of what you
also sprach Dariush Pietrzak <[EMAIL PROTECTED]> [2004.11.02.1053 +0100]:
> hmm, but in /tmp/ssh* there's just a socket... so when agent is gone, what
> good is that file?
Fine, so the other hosts are only accessible while you are logged
in. Should be enough to hijack them...
--
Please do not s
On Tue, 02 Nov 2004, martin f krafft wrote:
> If you forward your agent (-A, or ForwardAgent yes), then the
> attacker now probably has access to all machines where the SSH key
> you used has access.
This goes agaist what I know about the agent. The attacker could *try* to
access the agent when i
> Nope. It is true. Copy the appropriate /tmp/ssh* directory, chown
> it, set SSH_AUTH_SOCKET appropriately, and ssh away.
hmm, but in /tmp/ssh* there's just a socket... so when agent is gone, what
good is that file?
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4
also sprach Dariush Pietrzak <[EMAIL PROTECTED]> [2004.11.02.0947 +0100]:
> > If you forward your agent (-A, or ForwardAgent yes), then the
> > attacker now probably has access to all machines where the SSH key
> > you used has access.
> Is this indeed true? I was under an impression that ForwardAg
> Meanwhile, the only thing I have is looking at some offline backups and
> working remotely in the (compromised) environment. Right now I'm looking at
> the lsof output there, a curious entry from Apache shown by lsof:
>
> apache 3170 root memDEL0,5 0 /SYSV00
> If you forward your agent (-A, or ForwardAgent yes), then the
> attacker now probably has access to all machines where the SSH key
> you used has access.
Is this indeed true? I was under an impression that ForwardAgent works more
in challenge-response fashion?
And as far as X-forwarding goes -
> You could force the SSH client to *not* forward X11 with -x
> (the low-caps x char) regardless other client/server-side
> specifications. If you do not specify any other special
> forwarding (-L or -R) then there will be no forwarding.
Good, that was what I was hoping for. (Obviously, my
defaul
Greetings!
On Tue, 2 Nov 2004 08:59:07 +0200 (IST) Vassilii Khachaturov
<[EMAIL PROTECTED]> wrote:
> I have been doing ssh into the box. THe client is set up not to
> request the X forwarding by the default. When I try "ssh -v" now, I
> observe no X forwarding being established, whereas "ssh -X -v
also sprach Vassilii Khachaturov <[EMAIL PROTECTED]> [2004.11.02.0759 +0100]:
> I have been doing ssh into the box. THe client is set up not to
> request the X forwarding by the default. When I try "ssh -v" now,
> I observe no X forwarding being established, whereas "ssh -X -v"
> does establish X.
I have discovered that one of the machines I have an account on has been
hacked. As a result, I am left with the following worries.
I have been doing ssh into the box. THe client is set up not to request
the X forwarding by the default. When I try "ssh -v" now, I observe no X
forwarding being esta
15 matches
Mail list logo
