vulnerability with ssh-agent

Markus Friedl markus at openbsd.org
Sun Jul 18 02:04:01 EST 2004


On Sat, Jul 17, 2004 at 05:04:15PM +0200, Keld Jørn Simonsen wrote:
> I understand that my level of competence here is way lower than that of
> a openssh hacker, but anyway, where there is a will, there is a way. 
> I am appauled by the ease it is to use the ssh-agent for an intruder.

i think there is not point in using inherited file descriptors
instead of a socket.  it's just a waste of time, and there even was
(broken) code in older versions of ssh for doing this, but it got
removed for several reasons.

moreover, there is no way to protect the agent against root.

the agent already protectes the private keys against all non-root
users.  they cannot can access the key material (the agent disables
coredumps and make ptrace impossible because it's setgid), and if
you use a smartcard it even gets impossible for root users.

the agent never discloses the private key over the socket. additionally,
the agent disallows use of the key for users with a different uid prevented
(with getpeereuid(2)).

if you need additional access control, then use ssh-add -c.

> I have also considered other ways of doing inter-process communication
> in a safe way, but sockets are probably the way to go.

there is no safe way.




More information about the openssh-unix-dev mailing list