(Anonymizing the reply I received as the sender apparently chose not to send it to the list.) On 02/10/2020 07:30 PM, [someone] wrote: > On Feb 10, 2020, at 10:03 AM, Jochen Bern <Jochen.Bern@xxxxxxxxx> wrote: >> In particular in the case of ssh-agent [...] > > Yes, but if there is an ssh-agent running and you have a root process, you > could query the keys in it. A root process on the client machine should be able to record the passphrase as the user types it, to name but one option, so that's pretty much a "game over" situation - short of having the privkey operations moved to a hardware token with its own input device. An attacker on the client machine who can merely *communicate* with the running ssh-agent should not be able to *extract* any privkeys from it. He can try to *use* them, though - and that's why I advocate to always use the -c and -t options of ssh-add. (Not that I would be likely to notice if the attacker were to slip in one confirmation popup *right* when I'm, e.g., distributing a file to a couple dozen target machines every once in a while, though. If the popup were to state the target machine/account, it would be more helpful to me than now, showing the keypair about to be used.) (FWIW, I'm using Ksshaskpass and OpenSSH's ssh-agent + ssh-add. IIRC I've once seen a system/distrib where even the agent was *not* OpenSSH's, in spite of it using OpenSSH ssh and sshd.) >> Note, however, that offhand, I cannot find a command that allows you to >> derive a pubkey from a privkey, > > Presuming you have the key for the privkey you may use > ssh-keygen -y -f .ssh/id_ecdsa Ah, I missed the -y option when I skimmed the manpage, thanks ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
