On 19.07.23 16:40, Damien Miller wrote:> Exploitation can also be prevented by starting ssh-agent(1) with an
> empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
> an allowlist that contains only specific provider libraries.
Upon trying to deploy such a workaround, I found that the call to
ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup
mechanisms. (As in, did "find | xargs grep ssh-agent" and such across
the entire OS install and *still* haven't found it.)
Feature request: Please consider giving ssh-agent(1) a config file(s) to
drop at least the potentially security-relevant options into.
(One would think that when the maintainers of hulking package X call out
to an executable of entirely different package Y that has a nontrivial
command line syntax, it'd be a no-brainer to put an X-maintained wrapper
script in between, just in case that the maintainers of Y pull an
ncat(1) and rename a bunch of options, but noooo ...)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230720/e57676be/attachment-0001.p7s>