[Sshmgmt] Agent forwarding
Simon Josefsson <simon@josefsson.org> Wed, 10 April 2013 17:48 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: sshmgmt@ietfa.amsl.com
Delivered-To: sshmgmt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41F921F8ED4 for <sshmgmt@ietfa.amsl.com>; Wed, 10 Apr 2013 10:48:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.909
X-Spam-Level:
X-Spam-Status: No, score=-99.909 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SkCqWA6nsDmv for <sshmgmt@ietfa.amsl.com>; Wed, 10 Apr 2013 10:48:21 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id 5526A21F8EB9 for <sshmgmt@ietf.org>; Wed, 10 Apr 2013 10:48:17 -0700 (PDT)
Received: from [192.168.1.42] (host-95-192-118-188.mobileonline.telia.com [95.192.118.188]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id r3AHm4ma014538 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for <sshmgmt@ietf.org>; Wed, 10 Apr 2013 19:48:08 +0200
Message-ID: <1365616078.5530.7.camel@latte.josefsson.org>
From: Simon Josefsson <simon@josefsson.org>
To: sshmgmt@ietf.org
Date: Wed, 10 Apr 2013 19:47:58 +0200
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
Subject: [Sshmgmt] Agent forwarding
X-BeenThere: sshmgmt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This list will discuss SSH key management practices. The starting point will be to consider what to do with draft-ylonen-sshkeybcp" <sshmgmt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sshmgmt>, <mailto:sshmgmt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sshmgmt>
List-Post: <mailto:sshmgmt@ietf.org>
List-Help: <mailto:sshmgmt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sshmgmt>, <mailto:sshmgmt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 17:48:22 -0000
Hi. Please consider discussing the problem of enabling so called "agent forwarding" (OpenSSH -A flag) when connecting to remote systems. Briefly, if a remote system has been compromised, and you connect to it using 'ssh -A', the remote system can use your credentials to login to other systems. Normally there is no user feedback of what is going on either. I've seen uses of 'ForwardAgent yes' in people's .ssh/config which is risky and IMHO a problem worthy of attention. If this concern is already covered by more generic text in the document, I must have missed it and then I'm sorry for wasting your time -- I searched for "agent" in the document. Thanks, /Simon
- [Sshmgmt] Agent forwarding Simon Josefsson
- Re: [Sshmgmt] Agent forwarding peter
- Re: [Sshmgmt] Agent forwarding Tatu Ylonen