tran dung
2017-Nov-02 03:31 UTC
Is it good for agent forwarding to creates socket in /tmp/
Hi Alexander Wuerstlein
Thank for the information.
Now I agree that it's better to save the socket in /tmp/
I checked the source code and found that it is hard-coded.
/* Allocate a buffer for the socket name, and format the name. */
auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
It would be nice if openssh provides an option to overwrite this default.
Regards
Tran
Best Regards
-----------------------
Tran Van Dung
On Wed, Nov 1, 2017 at 10:19 PM, Alexander Wuerstlein <arw at cs.fau.de>
wrote:
> On 2017-11-01T11:27, tran dung <trandung0101 at gmail.com> wrote:
> > Hi
> >
> > After logging in to a remote server with ForwardAgent enabled, sshd on
> the
> > remote server creates a socket at /tmp/ and permission is
> 0755/srwxr-xr-x.
> > What is the reason to allow everyone to read this socket?
>
> I can't answer that part really.
>
> I only vaguely remember that for sockets in some operating systems the
> permissions are ignored and only ownership grants any access. But I'm
> really not sure.
>
> > Also, is it better to save this socket in /home/user/.ssh/?
>
> No. Sockets are special files, and the home directory is often mounted
> via some network file system like NFS, SMB or AFS. Depending on type and
> configuration, sockets won't be able to exist there, so you need a
> filesystem that supports them, which /tmp should always do. Also,
> network file systems will create the additional headache of making sure
> that the socket's name is unique across the whole network, not just the
> local machine. Thats why a local filesystem is preferable. And then
> there is the argument that its messy to put the socket in ~/.ssh, since
> ~/.ssh is for more permanent kinds of files, whereas the socket is
> temporary in nature, thus belonging in /tmp.
>
>
>
> Ciao,
>
> Alexander Wuerstlein.
>
Damien Miller
2017-Nov-02 05:18 UTC
Is it good for agent forwarding to creates socket in /tmp/
On Thu, 2 Nov 2017, tran dung wrote:> Hi Alexander Wuerstlein > > Thank for the information. > > Now I agree that it's better to save the socket in /tmp/ > I checked the source code and found that it is hard-coded. > /* Allocate a buffer for the socket name, and format the name. */ > auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX"); > It would be nice if openssh provides an option to overwrite this default.It does: "ssh-agent -a /path". You'll need to do your own 'mktemp -d' or equivalent to get a temporary directory if you want a random-looking path. -d
Jakub Jelen
2017-Nov-06 14:04 UTC
Is it good for agent forwarding to creates socket in /tmp/
On Thu, 2017-11-02 at 16:18 +1100, Damien Miller wrote:> On Thu, 2 Nov 2017, tran dung wrote: > > > Hi Alexander Wuerstlein > > > > Thank for the information. > > > > Now I agree that it's better to save the socket in /tmp/ > > I checked the source code and found that it is hard-coded. > > /* Allocate a buffer for the socket name, and format the > > name. */ > > auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX"); > > It would be nice if openssh provides an option to overwrite this > > default. > > It does: "ssh-agent -a /path". You'll need to do your own 'mktemp -d' > or equivalent to get a temporary directory if you want a random- > looking > path.It does for ssh-agent socket location, but not for the agent forwarding in sshd server [1] as this thread started. Configuring this in sshd_config could be useful, though I don't see a big value in it. The tmp is portable and with the measures that OpenSSH is using also secure. [1] https://github.com/openssh/openssh-portable/blob/b7548b12a6b2b4abf4 d057192c353147e0abba08/session.c#L201 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.