Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Tue, 4 Dec 2001 22:37:57 -0800
From: Seth Delackner <seth AT jtan DOT com>
To: cygwin AT cygwin DOT com
Subject: Safety of ssh-agent re: fake unix sockets?
Message-ID: <20011204223757.A17439@io.jtan.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i

Way back in January, in message
http://www.cygwin.com/ml/cygwin/2001-01/msg00063.html

I think Egor Duda, but perhaps David Peterson wrote
that the socket implementation in cygwin allowed an
attacker to simply send an RSA auth request to a
specific port on your machine and presto, he would
receive your private key.

Since there were no replies to this message (that I
can find), I'm really interested to hear if anyone
has solved this or if he is incorrect?

I really don't want to have to setup a port-blocking
firewall just to prevent this, especially considering
that ZoneAlarm is doing a fine job with application-
specific blocking (and I have no other services running
that outsiders could abuse).

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/