On 2009-08-16 09:23:37 PM, Mike McGrath wrote:
I'm conflicted on this, there's valid points here but also
the risks are
fairly low. As far as disabling agent forwarding, that's trivial to
re-enable if the box gets rooted.
Yeah, that's true - what Jeremy suggested
sounds like a better idea (and
perhaps it could be added to CSI).
Specifically we're trying to protect against a rooted publictest
becoming a password harvester right?
Yup (and SSH agent harvesters as well). The
goal is that if a
publictest machine were compromised (since it'd probably be one of the
easier targets), any damage would be confined to that machine as much as