[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

Julian Gilbey <J.D.Gilbey@qmw.ac.uk> writes:

> On my home machine, I have an identity in .ssh/identity.pub.
> I copied that into .ssh/authorized_keys on master (possibly using the
> LDAP system).
> I *also* copied it into .ssh/authorized_keys on my home machine.
> That extra copy on my home machine (somehow) allows root to snoop my
> identity and so get into my home machine without a password.

This is only possible if you used ssh-agent at some point, and had
"agent forwarding" turned on at this time (this may be turned on by
default). If you never use the agent, you're not at risk.

> Solution: remove the identity from .ssh/authorized_keys on my home
> machine.

Note that *any* keys that your agent holds can be snarfed by the
admin(s) of any hosts where you ssh-in with agent forwarding enabled.


Reply to: