How do I gracefully exit/shutdown a "remote" machine?

Fraser Campbell fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Fri Jul 22 03:03:29 UTC 2005 

On Thu, 2005-21-07 at 19:07 -0400, CLIFFORD ILKAY wrote:

> I know this can be done 
> with ssh agent forwarding but I have not investigated it yet to 
> figure how or even if it can be done in a secure manner. My solution 
> for now, as imperfect as it is, is to copy my private key to B and 
> delete it after using it to establish the connection between B and C.

If it wasn't secure I suspect it would have been removed from all SSH
clients and servers a long time ago.  Reading manpage on ssh-agent it
explains that client will never see your private key, from my
rudimentary understanding of PKI I assume it's something like this:

- server requests authentication (key based first, if enabled)
- servers says to client encrypt "adsfuh34tblahblah" for me
- client says to agent, encrypt "adsfuh34tblahblah" for me
- agent says to client, looks like "*&^%#$(&$%NFDJNB^&T" to me
- client says to agent, looks like "*&^%#$(&$%NFDJNB^&T" to me
- server decrypts "*&^%#$(&$%NFDJNB^&T" using your public key, if it
  matches "adsfuh34tblahblah" then you're in

If you connect from machine A, to machine B, to machine C using agent
forwarding at each step then the key request gets passed all the way
back through the chain of agents to your original machine.

I know of a few ways this falls apart:

- if you ignore key warnings and "fix" them then you're subject to
  man-in-the-middle attacks regardless of key auth or not (they
  still won't get your key but the session is busted)
- if you run on a whiz bang Windows system with all the latest spyware,
  or a crap unpatched Linux system ;-)

Seems pretty secure to me and I have no idea how I would live without
it.  With hundreds of servers (or even one server) login passwords are a
ridiculous waste of time and much less secure!

My $0.02 :-)

Fraser

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list