Tuesday, August 21, 2007

SSH Misinformation

Dave Dribin insists you must use ssh-agent and pass phrases for private keys, just in case someone gets access to your account, the assumption being that someone won't be able to access your remote machines because they don't know your password.

If someone gets access to my account, they won't have any trouble stealing my password and getting into my remote machines anyway. What's worse is ssh-agent can make you less not more secure. It forwards a connection to each machine you log into; anyone with root privileges on these machines can access your private keys.


Blogger danshep said...

Actually, you're just piling more misinformation on.

A user with root access on a machine in the forwarding chain can establish connections using your agent.

They DO NOT get access to your private keys - they never go over the wire. Once your connection to those machines is terminated, so to has their ability to connect using your keys.

The following provides a fairly good overview of the authentication mechanism and the risk thereof:


5:10 PM  
Blogger danshep said...

Oh, and ssh agent forwarding is not an automatic process. Using ssh agent to secure your local key file WILL get you added security. The extra step of forwarding that agent discussed by Dave, and be default isn't going to happen.

5:14 PM  
Blogger Bob said...

Thanks for the clarification.

5:14 PM  

Post a Comment

Links to this post:

Create a Link

<< Home