On 01/04/13 23:36, Daniel Kahn Gillmor wrote:> hi openssh folks--
>
> thanks to openbsd-compat/getpeereuid.c, ssh-agent refuses to allow
> connections from other users. This is great in the general case, but in
> some cases, i would like to use the agent to mask off access to the raw
> public key material but make it available for use by other user accounts.
>
> For an example use case, see what Tollef (cc'ed here) was trying to do
> in [0]. running the agent as one user and permitting access from
> another user via filesystem permissions currently fails due to the euid
> check in ssh-agent.c.
>
> Is it unreasonable to propose a slight weakening of this check when
> deliberately configured? If so, what interface would seem most
> reasonable to permit?
Add a --allow-other-users or --give-keys-to-anyone parameter?
Given that there will be little use of such feature, it's hard to make
an interface
which serves everybody and someone disabling that check should know what
they are doing (and thus properly secure the fs permissions).
As for the problem of Tollef due to an evil ssh-agent (clever trick!), a
solution
would be to make /usr/bin/ssh-agent sgid to another group (eg.
?good-agent?), then check
in the sudo snippet (you better make a script...) that $SSH_AUTH_SOCK
belongs
to that group (and thus was created by the trusted code).
There are a few caveats for BSD:
* Some BSD flavours ignore socket permissions (but the containing folder
should still make the initial --allow-other-users socket safe).
* It may be possible to reattach to the socket under BSD using SO_REUSEADDR
in the second process (anyone wants to test with AF_UNIX?)
Under Linux (which is what Tollef seems to be using) it would apparently
work.
Anyone seeing a hole in that method?