[Developers] SECURITY: trivial reveal of stored passwords
Bart Matthaei
bart at sshkeychain.org
Wed Aug 22 08:40:27 CEST 2007
Hi Eric,
good solution. Should be easy to implement too.
Cheers,
Bart
On 22-aug-2007, at 3:31, Eric Warnke wrote:
> On 8/21/07, Daniel M. Zimmerman <dmz+lists at tffenterprises.com> wrote:
>> Unless I'm seriously misunderstanding the vulnerability and the
>> circumstances under which it's triggered, I suspect that the only
>> way to
>> fix it is going to be for SSHKeychain to do one of two extremely
>> inconvenient things:
>
> - Use a token to prove that the password request was made on behalf of
> SSHKeychain.app. It can be placed in the environment and will get
> passed from ssh-add to PassphraseRequester and then back to
> SSHKeychain.app
>
> Simple, effective, and should work.
>
> -Eric
> _______________________________________________
> developers mailing list
> developers at sshkeychain.org
> http://www.sshkeychain.org/cgi-bin/mailman/listinfo/developers
>
--
Bart Matthaei bart at ambrero.nl
Ambrero Software
http://www.ambrero.nl/
More information about the developers
mailing list