ssh-agent too easy to hack
Peter Watkins
peterw at usa.net
Tue Jan 15 12:11:07 EST 2002
On Tue, Jan 15, 2002 at 01:52:26AM +0100, Tim McGarry wrote:
> > > SSH_AUTH_SOCK=/tmp/ssh-saZ24308/agent.24308?SALT=RaNdoMsTuFF447183414
>
> > Total waste of time. Your environment variables are public information,
>
> > Try: /usr/ucb/ps -ewwwww on Solaris if you don't believe me.
> You're right, so perhaps I'll write a wrapper around ssh (for legitimate
> users) to find the agent and set the env, even when the SSH_BLAH variables
> aren't set.
Let me guess, the wrapper will run SUID/SGID. It'll be another potential
attack vector for malicious local users (because it will, by necessity, be
world-executable). I'm very skeptical of your suggestions. It just seems
that by "closing" this hole, you're really just shifting the attack vector
to somewhere else, maybe making something worse in the process.
-Peter
--
One day you're gonna have to face the deep dark truthful mirror - E Costello
More information about the openssh-unix-dev
mailing list