[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSH uploaded replacing ssh, please test

Joey Hess <joeyh@debian.org> writes:

> Jules Bean wrote:
> > Correct me if I'm wrong, but the only way someone could install such a
> > sneaky app is if they have root access on that machine, or access to your
> > account on that machine.  And if they have either of those things, you
> > have no security anyway, because they can run circles around any security
> > measure you impose.
> All someone needs to run an invisible keyboard grabber is for you to mess up
> your Xauthority for a minute. Ie, run "xhost +", or leak your Xauthority
> cookie, etc.

Both the original ssh askpass as well as the one just posted, (try to)
prevent this type of attack by temporarily obtaining exclusive access
to the keyboard (similar to xterm's "secure keyboard" menu item).

	- Ruud de Rooij.
ruud de rooij | ruud@ruud.org | http://ruud.org

Reply to: