Bugtraq mailing list archives
Re: S/Key & OPIE Database Vulnerability
From: jpr5 () BOS BINDVIEW COM (Jordan Ritter)
Date: Thu, 27 Jan 2000 14:47:45 -0500
On Thu, 27 Jan 2000, Eivind Eklund wrote: # You don't get the same effect by using ssh RSA authentication, partly # you either have # (1) Users that key in the passphrase each time they connect to the # server # OR # (2) Agent forwarding, which means that if any computer they have an # account on is compromised, so is your box. I don't see how 2 can true, at least by default. For agent-forwarding to give an attacker a useful advantage against the originating host, that host would have to both be running sshd, and have the public key specified in that particular user's known_hosts. If your configuration satisfies those requirements, then you shouldn't be using RSA in the first place because you're an accident waiting to happen. For all hosts configured to forward agent requests (default) and have the public key present, sure, consider them all compromisable if someone hijacks a session on one of your hosts. As an aside, automatic agent forwarding does have a few hidden pitfalls, though, like forwarding authentication across hosts that didn't use it: A(source) -> B(pubkey present, agent used) B -> C(pubkey missing or different, normal passauth used) C -> D(pubkey present, connection still forwarded) Not sure, but this might still work even if RSAAuth is disabled on C. Don't know if OpenSSH behaves the same way, but I've heard arguments about why this can be good as well as bad. Caveat Emptor, I guess. Jordan Ritter RAZOR Security BindView Corporation
Current thread:
- Re: S/Key & OPIE Database Vulnerability, (continued)
- Re: S/Key & OPIE Database Vulnerability Evil Pete (Jan 24)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Stream.c needs more clarification Vanja Hrustic (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 26)
- Future of s/key (Re: S/Key & OPIE Database Vulnerability) Frasnelli, Dan (Jan 26)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 28)
- "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Jan 29)
- Re: S/Key & OPIE Database Vulnerability Brandon Palmer (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 28)
- Multicast from hell John Watkins (Jan 27)
- Cobalt RaQ2 - a user of mine changed my admin password.. Chuck Pitre - Technical Support (Jan 27)
- Re: Cobalt RaQ2 - and QUBE2 Nir Simionovich (Rin Solo) (Jan 29)
- Tempfile vulnerabilities foo (Jan 30)
- [FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs] Patrick Oonk (Jan 28)
- Re: Multicast from hell Omachonu Ogali (Jan 28)