Re: OpenSSH uploaded replacing ssh, please test

To: Tommi Virtanen <tv@debian.org>
Cc: Philip Hands <phil@hands.com>, debian-devel@lists.debian.org, recipient list not shown: ;
Subject: Re: OpenSSH uploaded replacing ssh, please test
From: Jules Bean <jmlb2@hermes.cam.ac.uk>
Date: Thu, 4 Nov 1999 19:50:32 +0000 (GMT)
Message-id: <Pine.SOL.4.10a.9911041946170.17870-100000@red.csi.cam.ac.uk>
In-reply-to: <19991104183652.A11827@hq.yok.utu.fi>

On Thu, 4 Nov 1999, Tommi Virtanen wrote:

> On Thu, Nov 04, 1999 at 03:53:03PM +0000, Philip Hands wrote:
> > > 	And here's ssh-askpass too. Consider it public domain.
> > Is that attempting to do anything to stop people sniffing the
> > passphrase?
> > 
> > It needs to do the same sorts of tricks that xdm does to ensure that
> > someone hasn't run an invisible keyboard-event grabber before running
> > ssh-askpass.
> 
> 	It grabs the X focus globally, in the same way xterm's
>         Secure keyboard -option and ssh-askpass seem to do.
>         I will not read the source of ssh-askpass, that might be
>         viewed as copyright infrigment (sp?).
> 
>         I am no X expert, but I don't think there's more to do
>         than that. Unless you want to lock the pages into memory
>         etc..

I have read the source to ssh-askpass, but if I only describe ideas to
you, I won't be breaking your clean-room.

In ideas, all ssh-askpass does is grab the keyboard, which is probably
equivalent to what you're doing (I'm no X guru either).

Correct me if I'm wrong, but the only way someone could install such a
sneaky app is if they have root access on that machine, or access to your
account on that machine.  And if they have either of those things, you
have no security anyway, because they can run circles around any security
measure you impose.

If you are typing from another machine to the one with the private key in
question, then you also need to trust everyone with root on the machine
you're physically typing on, as well as everyone with root on the machine
running the Xclient concerned :)

Bearing all that in mind, I'm not sure what useful security measures
ssh-askpass can impose.

Jules

/----------------+-------------------------------+---------------------\
|  Jelibean aka  | jules@jellybean.co.uk         |  6 Evelyn Rd	       |
|  Jules aka     | jules@debian.org              |  Richmond, Surrey   |
|  Julian Bean   | jmlb2@hermes.cam.ac.uk        |  TW9 2TF *UK*       |
+----------------+-------------------------------+---------------------+
|  War doesn't demonstrate who's right... just who's left.             |
|  When privacy is outlawed... only the outlaws have privacy.          |
\----------------------------------------------------------------------/

Reply to:

Follow-Ups:
- Re: OpenSSH uploaded replacing ssh, please test
  - From: Joey Hess <joeyh@debian.org>

References:
- Re: OpenSSH uploaded replacing ssh, please test
  - From: Tommi Virtanen <tv@debian.org>

Prev by Date: Re: Packages to give away
Next by Date: Re: OpenSSH uploaded replacing ssh, please test
Previous by thread: Re: OpenSSH uploaded replacing ssh, please test
Next by thread: Re: OpenSSH uploaded replacing ssh, please test
Index(es):
- Date
- Thread