bugzilla-daemon at mindrot.org
2006-Oct-04 00:45 UTC
[Bug 1247] ssh-agent prevents use of group permissions to control access to agent socket
http://bugzilla.mindrot.org/show_bug.cgi?id=1247
Summary: ssh-agent prevents use of group permissions to control
access to agent socket
Product: Portable OpenSSH
Version: 4.4p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ssh-agent
AssignedTo: bitbucket at mindrot.org
ReportedBy: g.clitheroe at gmail.com
Long time open source user, first time bug reporter - let me know if I
can do better etc!
We use an agent account to run an ssh-agent. Process accounts belong to
an agent group and we use unix group permissions to control access to
the agent socket. This means we have one shared agent process per
server that is easy to monitor etc. I think this approach is outlined
in the O'Reilly book.
ssh-agent now checks uid and euid and this disables the use of group
permissions to control access to the socket, the process account now
can't use the ssh-agent provided by the agent account.
e.g.,
as 'agent'
ssh-agent -c | head -2 > agent-info.c
source agent-info.c
source agent-info.c
ssh-add .ssh/process-account-key
chmod -R 770 agent.agent /tmp/ssh-socket-dir
as 'process account'
source /home/agent/agent-info.c
try and ssh somewhere:
ssh -i .ssh/process-account-key process at server
Error reading response length from authentication socket.
The disabling of use of group permissions is caused by L912-918 of
ssh-agent.c I commented this code out, rebuilt and the agent account
now works as we require.
if ((euid != 0) && (getuid() != euid)) {
error("uid mismatch: "
"peer euid %u != uid %u",
(u_int) euid, (u_int) getuid());
close(sock);
break;
}
A command line flag to disable the use of group permissions (ie the
default being that ssh-agent doesn't check euid), or removing the code
would be good.
Cheers,
Geoff
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Reasonably Related Threads
- Might a patch to ssh-agent to allow relaxing of peer euid check be accepted?
- OpenSSH ControlAllowUsers, et al Patch
- [Bug 1247] ssh-agent prevents use of group permissions to control access to agent socket
- [Bug 1247] ssh-agent prevents use of filesystem permissions to control access to agent socket
- [Bug 1247] ssh-agent prevents use of filesystem permissions to control access to agent socket
Wisdom of the Ancients
