Re: Signing Packages.gz
Julian Gilbey <J.D.Gilbey@qmw.ac.uk> writes:
> On my home machine, I have an identity in .ssh/identity.pub.
> I copied that into .ssh/authorized_keys on master (possibly using the
> LDAP system).
> I *also* copied it into .ssh/authorized_keys on my home machine.
>
> That extra copy on my home machine (somehow) allows root to snoop my
> identity and so get into my home machine without a password.
This is only possible if you used ssh-agent at some point, and had
"agent forwarding" turned on at this time (this may be turned on by
default). If you never use the agent, you're not at risk.
> Solution: remove the identity from .ssh/authorized_keys on my home
> machine.
Note that *any* keys that your agent holds can be snarfed by the
admin(s) of any hosts where you ssh-in with agent forwarding enabled.
--
Robbe
Reply to: