Re: SSH & xauth

• Previous message: Oliver Friedrichs: "Re: SSH & xauth"
• Maybe in reply to: Brian Caswell: "SSH & xauth"
• Next in thread: David Pybus: "Re: SSH & xauth"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 24, 2000 at 05:31:35PM -0500, Brian Caswell wrote:
> The only thing that is required for the client system to be compromised
> is for the client to remotely log via ssh (with X11 forwarding enabled)
> into a compromised server.

And of course the sshd binary can be trojaned, your agent connections can
be hijacked, passwords logged, etc.

So Add ForwardAgent no to that host * stanza, only log in with an RSA
identity, and run ssh -v to see if anything weird happens.

The SSH protocol trusts the server.  If you don't, tread very carefully.

--
David Terrell             | "Any sufficiently advanced technology
Prime Minister, Nebcorp   | is indistinguishable from a rigged demo."
dbtat_private              |  - Brian Swetland
http://wwn.nebcorp.com/

• Next message: Jeff Stevens: "TrendMicro OfficeScan tmlisten.exe DoS"
• Previous message: Oliver Friedrichs: "Re: SSH & xauth"
• Maybe in reply to: Brian Caswell: "SSH & xauth"
• Next in thread: David Pybus: "Re: SSH & xauth"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:23 PDT