[Developers] SECURITY: trivial reveal of stored passwords
Eric Warnke
ericew at gmail.com
Wed Aug 22 03:50:26 CEST 2007
On 8/21/07, Daniel M. Zimmerman <dmz+lists at tffenterprises.com> wrote:
> Yes... but in principle, this is no different from the ssh-agent process
> itself "leaking" your decrypted keys over the UNIX socket it uses when you
Your private, decrypted key never leaves the agent memory space. Yes,
someone can "piggyback" your agent if they are you or root, but
SSHKeychain already has protection from that by informing you when
someone tries to access the agent. This feature works no matter how
many ssh hops are removed as long as the agent forwarding is in place.
http://www.unixwiz.net/techtips/ssh-agent-forwarding.html
-Eric
More information about the developers
mailing list