[Developers] SECURITY: trivial reveal of stored passwords
Bart Matthaei
bart at ambrero.nl
Wed Aug 22 10:20:46 CEST 2007
On 22-aug-2007, at 3:31, Eric Warnke wrote:
> On 8/21/07, Daniel M. Zimmerman <dmz+lists at tffenterprises.com> wrote:
>> Unless I'm seriously misunderstanding the vulnerability and the
>> circumstances under which it's triggered, I suspect that the only
>> way to
>> fix it is going to be for SSHKeychain to do one of two extremely
>> inconvenient things:
>
> - Use a token to prove that the password request was made on behalf of
> SSHKeychain.app. It can be placed in the environment and will get
> passed from ssh-add to PassphraseRequester and then back to
> SSHKeychain.app
We could create a token at startup and pass it to the environment of
every spawned
PassphraseRequester and ssh process. In PassphraseRequester, we can
pass this
to the UI.
I'm working on a fix at the moment, I'll commit something working soon.
Cheers,
Bart
--
Bart Matthaei bart at ambrero.nl
Ambrero Software
http://www.ambrero.nl/
More information about the developers
mailing list