This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Safety of ssh-agent re: fake unix sockets?


Way back in January, in message
http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html

I think Egor Duda, but perhaps David Peterson wrote
that the socket implementation in cygwin allowed an
attacker to simply send an RSA auth request to a
specific port on your machine and presto, he would
receive your private key.

Since there were no replies to this message (that I
can find), I'm really interested to hear if anyone
has solved this or if he is incorrect?

I really don't want to have to setup a port-blocking
firewall just to prevent this, especially considering
that ZoneAlarm is doing a fine job with application-
specific blocking (and I have no other services running
that outsiders could abuse).

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]