Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do not run it if you use ssh-agent!

Remember agent will forward all of your ssh keys to the untrusted server.



You mean like https://github.com/mag-.keys ? SSH public keys should not be secrets.


If you ssh into a host and use ssh-agent + `ForwardAgent Yes` - host can get your PRIVATE key.


They can't get your private key - But they can make use of it so long as you're connected. Definitely only enable `ForwardAgent` for hosts that you trust.


Code is open source! I don't look at your public keys or private keys. I hash IPs so we have IDs that can't be tracked back to the IP.


Instead of (just) downvoting him, why not correct him? Look at his age!


Does this not require ForwardAgent to be enabled?


Yes it should only be a problem if

  ssh -A sshchat.hackclub.com
is used to connect.


Tell me more about how that works.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: