Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How necessary is SSH_AUTH_SOCK?

from [Roland Turner (Security Focus)] Network Security [Permanent Link]
Subject: Re: How necessary is SSH_AUTH_SOCK?
Date: Tue, 03 Oct 2006 08:08:45 +0100 
On Mon, 2006-10-02 at 13:03 -0400, Derek Martin wrote:


On Sun, Oct 01, 2006 at 09:38:56AM -0500, Steven Elliott wrote:

...

How is having the socket file on an NFS server a problem?  I know that
other applications do it, such as evolution / spamd:
    /home/sle/.evolution/cache/tmp/spamd-socket-path-bz4CuE


On most platforms, this is a gigantic mistake, particularly if the
data is or could be sensitive (as is the case with authentication
credentials provided by ssh-agent).  There are at least two problems
that I can think of off the top of my head:

1. In general, NFS does not encrypt the data that goes over the wire.


You are making the mistaken assumption that a UNIX-domain socket can
magically, simply by virtue of the i-node that describes it being stored
on an NFS (or other) server, become a network socket. This is not
correct.

Even if the i-node that describes the socket is resident on a remote
file server rather than on a host's local disk, the socket itself
remains intra-host; only pairs of processes running on the same host can
communicate with each other. Naturally, in the
~/.ssh/agent-where-~-is-mounted-by-many-hosts case, you can have as many
agents running as you like (not that this is good practice), but in each
case, only clients running on the same host as the agent (or clients
talking to an sshd running on the same host as the agent) will be able
to talk to each agent.

- Raz
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: OpenSSH and FTP, Jack Curtin
Next by Date:  Agent Forwarding Question for the list, Jason Powers
Previous by Thread:  Re: How necessary is SSH_AUTH_SOCK?, Derek Martin
Next by Thread:  Re: How necessary is SSH_AUTH_SOCK?, Roumen Petrov
Indexes:  [Date] [Thread] [Top] [All Lists]