Package: openssh-client Version: 1:4.3p2-9etch3 Severity: normal Tags: patch
The man page ssh-agent(1) says, """Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way.""" This is not true, and would be a serious security problem if it were -- a compromise on the remote host could employ the user's privileges to connect elsewhere. In fact, no such connection is forwarded unless the user specifically asks for it with the -A option to ssh. The patch below fixes this error. Cheers, Greg --- ssh-agent.1~ 2008-12-19 18:12:40.000000000 -0500 +++ ssh-agent.1 2008-12-19 18:15:02.000000000 -0500 @@ -129,8 +129,10 @@ terminal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. -However, the connection to the agent is forwarded over SSH -remote logins, and the user can thus use the privileges given by the +However, with +.Cm ssh -A +the connection to the agent may be forwarded over SSH remote logins, +so that the user can use the privileges given by the identities anywhere in the network in a secure way. .Pp There are two main ways to get an agent set up: -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24.5 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages openssh-client depends on: ii add 3.102 Add and remove users and groups ii deb 1.5.11etch2 Debian configuration management sy ii dpk 1.13.25 package maintenance system for Deb ii lib 2.3.6.ds1-13etch7 GNU C Library: Shared libraries ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library ii lib 2.9.cvs.20050518-2.2 BSD editline and history libraries ii lib 1.4.4-7etch6 MIT Kerberos runtime libraries ii lib 5.5-5 Shared libraries for terminal hand ii lib 0.9.8c-4etch3 SSL shared libraries ii pas 1:4.0.18.1-7 change and administer password and ii zli 1:1.2.3-13 compression library - runtime openssh-client recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
