| delorie.com/archives/browse.cgi | search |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sources.redhat.com/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Date: | Tue, 4 Dec 2001 22:37:57 -0800 |
| From: | Seth Delackner <seth AT jtan DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Safety of ssh-agent re: fake unix sockets? |
| Message-ID: | <20011204223757.A17439@io.jtan.com> |
| Mime-Version: | 1.0 |
| User-Agent: | Mutt/1.2.5i |
Way back in January, in message http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html I think Egor Duda, but perhaps David Peterson wrote that the socket implementation in cygwin allowed an attacker to simply send an RSA auth request to a specific port on your machine and presto, he would receive your private key. Since there were no replies to this message (that I can find), I'm really interested to hear if anyone has solved this or if he is incorrect? I really don't want to have to setup a port-blocking firewall just to prevent this, especially considering that ZoneAlarm is doing a fine job with application- specific blocking (and I have no other services running that outsiders could abuse). -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |