You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was wondering whether or not there is any sort of timestamping built into the ssh-agent/sshd systems that expire a signed public key after some period of time?
To be more precise I was wondering what the effect of using trezor's ssh-agent would be on a malware'd computer? It's my understanding that at some point the trezor will sign off on a key which could be stored indefinitely and used by an attacker for further logins. Is this correct?
The text was updated successfully, but these errors were encountered:
When using public key authentication, the SSH server sends the client a random challenge.
The client should sign it with its secret key, and the server will allow the connection to proceed if it can verify the signature using the client's public key.
If the client's machine has malware, it can only have access to a single signature each time a connection is made - and if the SSH server will send different challenge each time, it can't be used for a replay attack.
Hope this helps :)
I was wondering whether or not there is any sort of timestamping built into the ssh-agent/sshd systems that expire a signed public key after some period of time?
To be more precise I was wondering what the effect of using trezor's ssh-agent would be on a malware'd computer? It's my understanding that at some point the trezor will sign off on a key which could be stored indefinitely and used by an attacker for further logins. Is this correct?
The text was updated successfully, but these errors were encountered: