Re: OpenSSH uploaded replacing ssh, please test

To: Joey Hess <joeyh@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: OpenSSH uploaded replacing ssh, please test
From: ruud@ruud.org (Ruud de Rooij)
Date: 04 Nov 1999 22:07:48 +0100
Message-id: <87vh7i7yor.fsf@hobbes.home.ruud.org>
In-reply-to: Joey Hess's message of "Thu, 4 Nov 1999 12:37:29 -0800"
References: <19991104183652.A11827@hq.yok.utu.fi> <Pine.SOL.4.10a.9911041946170.17870-100000@red.csi.cam.ac.uk> <19991104123729.M19976@kitenet.net>

Joey Hess <joeyh@debian.org> writes:

> Jules Bean wrote:
> > Correct me if I'm wrong, but the only way someone could install such a
> > sneaky app is if they have root access on that machine, or access to your
> > account on that machine.  And if they have either of those things, you
> > have no security anyway, because they can run circles around any security
> > measure you impose.
> 
> All someone needs to run an invisible keyboard grabber is for you to mess up
> your Xauthority for a minute. Ie, run "xhost +", or leak your Xauthority
> cookie, etc.

Both the original ssh askpass as well as the one just posted, (try to)
prevent this type of attack by temporarily obtaining exclusive access
to the keyboard (similar to xterm's "secure keyboard" menu item).

	- Ruud de Rooij.
-- 
ruud de rooij | ruud@ruud.org | http://ruud.org

Reply to:

References:
- Re: OpenSSH uploaded replacing ssh, please test
  - From: Tommi Virtanen <tv@debian.org>
- Re: OpenSSH uploaded replacing ssh, please test
  - From: Jules Bean <jmlb2@hermes.cam.ac.uk>
- Re: OpenSSH uploaded replacing ssh, please test
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: all xterms
Next by Date: Re: Intention to Donate troll-ftpd 1.25
Previous by thread: Re: OpenSSH uploaded replacing ssh, please test
Next by thread: Re: OpenSSH uploaded replacing ssh, please test
Index(es):
- Date
- Thread