[Developers] SECURITY: trivial reveal of stored passwords
Justin Patrin
papercrane at gmail.com
Wed Aug 22 21:44:46 CEST 2007
On 8/21/07, Eric Warnke <ericew at gmail.com> wrote:
> On 8/21/07, Daniel M. Zimmerman <dmz+lists at tffenterprises.com> wrote:
> > Yes... but in principle, this is no different from the ssh-agent process
> > itself "leaking" your decrypted keys over the UNIX socket it uses when you
>
> Your private, decrypted key never leaves the agent memory space. Yes,
> someone can "piggyback" your agent if they are you or root, but
> SSHKeychain already has protection from that by informing you when
> someone tries to access the agent. This feature works no matter how
> many ssh hops are removed as long as the agent forwarding is in place.
>
> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html
>
To clarify: ssh-agent loads your private key but only ever signs
things with it. An application can ask ssh-agent to sign something,
but it never just returns the key.
--
Justin Patrin
More information about the developers
mailing list