vulnerability with ssh-agent

Jefferson Ogata Jefferson.Ogata at noaa.gov
Wed Jul 14 06:40:11 EST 2004


Keld Jørn Simonsen wrote:
> I was thinking along the lines of deleting the socket in temp, if an
> option "delete_ssk_auth_socket" was given in config, and then only
> processes that inherited the socket via fork() would have access to the
> socket, via an open file descriptor. An intruder would then need to
> program opening of an inode that was deleted, which is much harder than
> just using readily available ssh with an easy-to-find SSH_AUTH_SOCKET.
> This would work fine in the standard setup, where ssh-agent is launched
> as part of the initiation of X. 

Even if you could make this work, the socket would still be accessible 
to root on Linux under /proc/pid/fd.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>




More information about the openssh-unix-dev mailing list