bugzilla-daemon at mindrot.org
2006-Oct-04 00:45 UTC
[Bug 1247] ssh-agent prevents use of group permissions to control access to agent socket
http://bugzilla.mindrot.org/show_bug.cgi?id=1247 Summary: ssh-agent prevents use of group permissions to control access to agent socket Product: Portable OpenSSH Version: 4.4p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh-agent AssignedTo: bitbucket at mindrot.org ReportedBy: g.clitheroe at gmail.com Long time open source user, first time bug reporter - let me know if I can do better etc! We use an agent account to run an ssh-agent. Process accounts belong to an agent group and we use unix group permissions to control access to the agent socket. This means we have one shared agent process per server that is easy to monitor etc. I think this approach is outlined in the O'Reilly book. ssh-agent now checks uid and euid and this disables the use of group permissions to control access to the socket, the process account now can't use the ssh-agent provided by the agent account. e.g., as 'agent' ssh-agent -c | head -2 > agent-info.c source agent-info.c source agent-info.c ssh-add .ssh/process-account-key chmod -R 770 agent.agent /tmp/ssh-socket-dir as 'process account' source /home/agent/agent-info.c try and ssh somewhere: ssh -i .ssh/process-account-key process at server Error reading response length from authentication socket. The disabling of use of group permissions is caused by L912-918 of ssh-agent.c I commented this code out, rebuilt and the agent account now works as we require. if ((euid != 0) && (getuid() != euid)) { error("uid mismatch: " "peer euid %u != uid %u", (u_int) euid, (u_int) getuid()); close(sock); break; } A command line flag to disable the use of group permissions (ie the default being that ssh-agent doesn't check euid), or removing the code would be good. Cheers, Geoff ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Reasonably Related Threads
- Might a patch to ssh-agent to allow relaxing of peer euid check be accepted?
- OpenSSH ControlAllowUsers, et al Patch
- [Bug 1247] ssh-agent prevents use of group permissions to control access to agent socket
- [Bug 1247] ssh-agent prevents use of filesystem permissions to control access to agent socket
- [Bug 1247] ssh-agent prevents use of filesystem permissions to control access to agent socket