On Thu May 22 2008, Mike McGrath wrote:
On Thu, 22 May 2008, Jeremy Katz wrote:
> And the risk isn't increased by us allowing third-party
groups to do
> auth via FAS. This risk is present whenever any user logs in to another
> machine with agent forwarding. Which is requested by the user/client --
> not the machine being logged into
The risk does increase as far as targeting goes though. If you were to do
this type of attack right now, how would you go about doing it and what
machines would you use? If we start allowing third party machines that
have basically no barrier to entry it becomes much easier to plan and
execute the attack.
One can still provide services to Fedora maintainers without using FAS, e.g. a
ppc machine that can be used by maintainers to debug their package on that
arch. Then the maintainers would send their ssh public key by themself to the
administrator of the machine.
Regards,
Till