Re: xscreensaver and ssh-agent
On Tue, Feb 27, 2001 at 10:23:58AM +1100, Brian May wrote:
> >>>>> "Gerfried" == Gerfried Fuchs <alfie@innocent.com> writes:
>
> Gerfried> So, if I followed the thread there is no problem at all
> Gerfried> to write a short script that does the following:
>
> Gerfried> parses the output from "xscreensaver-command -watch" for
> Gerfried> the output when it blanks/locks and then run "ssh-add
> Gerfried> -D". That should be enough, right?
>
> Looks good (not tested).
>
> Even better though:
>
> ----------------------> rmagent.pl <--------------------------------------
> #!/usr/bin/perl
> use strict;
>
> open (FOO, "/usr/bin/X11/xscreensaver-command -watch|")
> || die "$0: can't watch xscreensaver\n";
>
> while (<FOO>) {
> if (m/^LOCK/) {
> system("/usr/bin/ssh-add -D");
> system("/usr/bin/kdestroy");
> }
> }
> ----------------------> rmagent.pl <--------------------------------------
>
> so it will destroy any Kerberos tickets, if any exist.
>
> hmmm... I suggest only doing this after the screen is locked, not
> blanked, but I guess that is my preference...
Clever stuff, but people shouldn't get a false sense of security. This
is damage limitation, at best. If someone has cracked root on your own
machine, they can kidnap any running ssh connections (and so gain any
privileges you have 'open') while the screensaver is on.
Jules
Reply to: