[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On 2 Apr 2000, Robert Bihlmeyer wrote:

> > Solution: remove the identity from .ssh/authorized_keys on my home
> > machine.
> Note that *any* keys that your agent holds can be snarfed by the
> admin(s) of any hosts where you ssh-in with agent forwarding enabled.

No, that is the point of ssh-agent. The key never leaves your machine the
authentication request travels through SSH to your agent, and then back
again with the proper encrypted credentials. So long as your ssh is active
an attacker can use that to access other machines you normally ssh into
and presumably implant his own authorized_key.


Reply to: