Marc Horowitz <[EMAIL PROTECTED]> writes:
> [EMAIL PROTECTED] (Niels Mvller) writes:
>
> >> What is ticket-forwarding (I could guess, but I would prefer a precise
> >> answer from someone who _knows_)? Does it have the same potential
> >> problems as ssh agent forwarding?
>
> The potential for problems can be more limited, but again, most
> implementations don't bother.
[ ... about kerberos ticket forwarding ... ]
Thanks for the explanation.
> With ssh, there is no way for a server to distinguish if the client
> was given the password, is using a local ssh-agent, or is using a
> forwarded ssh agent.
I haven't seen any spec for the ssh-agent mechanism (and I haven't
implemented it in lsh either). But perhaps it would make sense to
include information about the service being authenticated to,
communication end points, whether or not the server wants to allow
forwarding, etc, in the challenge sent to the agent?
Of course, the server can't know that the agent really pays any
attention to that information, but I think that is a minor problem (if
the user wants to be sloppy, its his problem). But perhaps it could
stop abuse of a forwarded agent by a compromized intermediate host;
the server would include enough information in the challenge for the
local agent to recognize that things are not quite right, and then it
refuses signing the challenge.
/Niels
