[Bug 1247] ssh-agent prevents use of group permissions to control access to agent socket

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Oct 4 10:45:03 EST 2006 

http://bugzilla.mindrot.org/show_bug.cgi?id=1247

           Summary: ssh-agent prevents use of group permissions to control
                    access to agent socket
           Product: Portable OpenSSH
           Version: 4.4p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh-agent
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: g.clitheroe at gmail.com


Long time open source user, first time bug reporter - let me know if I
can do better etc!

We use an agent account to run an ssh-agent. Process accounts belong to
an agent group and we use unix group permissions to control access to
the agent socket.  This means we have one shared agent process per
server that is easy to monitor etc. I think this approach is outlined
in the O'Reilly book.

ssh-agent now checks uid and euid and this disables the use of group
permissions to control access to the socket, the process account now
can't use the ssh-agent provided by the agent account.

e.g.,

as 'agent'

ssh-agent -c | head -2 > agent-info.c
source agent-info.c
source agent-info.c
ssh-add .ssh/process-account-key
chmod -R 770 agent.agent /tmp/ssh-socket-dir

as 'process account'

source /home/agent/agent-info.c

try and ssh somewhere:

ssh -i .ssh/process-account-key process at server
Error reading response length from authentication socket.


The disabling of use of group permissions is caused by L912-918 of
ssh-agent.c  I commented this code out, rebuilt and the agent account
now works as we require.

if ((euid != 0) && (getuid() != euid)) {
   error("uid mismatch: "
   "peer euid %u != uid %u",
   (u_int) euid, (u_int) getuid());
   close(sock);
   break;
}

A command line flag to disable the use of group permissions (ie the
default being that ssh-agent doesn't check euid), or removing the code
would be good.

Cheers,
Geoff




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list