FAS and public Key auth

Till Maas opensource at till.name
Fri May 23 11:53:48 UTC 2008

On Thu May 22 2008, Mike McGrath wrote:
> On Thu, 22 May 2008, Jeremy Katz wrote:

> > And the risk isn't increased by us allowing third-party groups to do
> > auth via FAS.  This risk is present whenever any user logs in to another
> > machine with agent forwarding.  Which is requested by the user/client --
> > not the machine being logged into
> The risk does increase as far as targeting goes though.  If you were to do
> this type of attack right now, how would you go about doing it and what
> machines would you use?  If we start allowing third party machines that
> have basically no barrier to entry it becomes much easier to plan and
> execute the attack.

One can still provide services to Fedora maintainers without using FAS, e.g. a 
ppc machine that can be used by maintainers to debug their package on that 
arch. Then the maintainers would send their ssh public key by themself to the 
administrator of the machine.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080523/f61ec493/attachment.bin 

More information about the infrastructure mailing list