FAS and public Key auth

[Mike McGrath]

Lets get this topic started.  We've had a lot of requests to have fas
authentication with third party groups (both nirik and dgilmore have
requested such setups)

We can easily set things up so that public key's can be used.  I still
have grave security concerns about this though.  The obvious fear is
compromise of a third party box that allows an unauthorized person to
then access our production servers.

The reality is this isn't much different from having an individual
contributors machine get hacked and having them then log in to one of our
boxes (this has happened once that I am aware of).  The main difference
though is how to target.

Lets assume an attacker wants to commit something bad to our servers.
If they wanted to do it as me, they'd have to attack my workstation and
somehow gain root access on the box.  At that point they'd be able to take
my keys or agent.  A difficult task.

Now lets say that one of our third party machines is allowing people to
build via mock for PPC (this is one real request).  That third party box
has the SSH keys of a number of people, lets say one of them is
sysadmin-main.  The attacker would need to merely create an fas account,
request access to the group that gives access to that machine and they'd
be able to take the ssh keys as people log in.

Now, I've never actually done this.  It's just my understanding that it'd
work that way.  If you had root on a box and I sshed there with my ssh
key, would you not have access to take the key and log in to other boxes
as me?

So my question is, is this a real risk or is there a precaution in SSH
preventing the attack i'm describing (basically a man in the middle type
attack)

I can think of a number of options to prevent this but I'm curious what
the rest of you think.

	-Mike