I thought as a means of preventing ssh-agent hijacking by
remote hosts one could have a local process communicating
with the agent, simply by having a term open with this
sort of dialog:
agent-mon: on host foo.elite.com requesting agent forwarding for
host bar.elite.com (fingerprint matches known_hosts)
allow? [yes/no]:
I know concepts presented along with patches are prefered, but I'm
pretty occupied at the moment and wanted to know if such a system
was feasable and/or desireable in order to protect against agent
hijacking on remote hosts. I'm assuming one would need a
"known_hosts"
entry for 'bar' on the machine running the agent to make sure
that it's not someone waiting for you to attempt to ssh to a trusted
machine then hijacks the conversation.
I'm not subscribed so be sure to CC' me on any flames. :)
thanks,
--
-Alfred Perlstein - [bright at wintelcom.net|alfred at freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."
