Re: Signing Packages.gz

To: Robert Bihlmeyer <robbe@orcus.priv.at>
Cc: debian-devel@lists.debian.org
Subject: Re: Signing Packages.gz
From: Jason Gunthorpe <jgg@ualberta.ca>
Date: Sun, 2 Apr 2000 13:54:11 -0600 (MDT)
Message-id: <Pine.LNX.3.96.1000402135309.458U-100000@wakko.deltatee.com>
In-reply-to: <874s9ko0rr.fsf@hoss.orcus.priv.at>

On 2 Apr 2000, Robert Bihlmeyer wrote:

> > Solution: remove the identity from .ssh/authorized_keys on my home
> > machine.

> Note that *any* keys that your agent holds can be snarfed by the
> admin(s) of any hosts where you ssh-in with agent forwarding enabled.

No, that is the point of ssh-agent. The key never leaves your machine the
authentication request travels through SSH to your agent, and then back
again with the proper encrypted credentials. So long as your ssh is active
an attacker can use that to access other machines you normally ssh into
and presumably implant his own authorized_key.

Jason

Reply to:

References:
- Re: Signing Packages.gz
  - From: Robert Bihlmeyer <robbe@orcus.priv.at>

Prev by Date: NMU of debianutils (was: Re: (Bug horizon) Problem bugs)
Next by Date: Re: Signing Packages.gz
Previous by thread: Re: Signing Packages.gz
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread