vulnerability with ssh-agent
Keld Jørn Simonsen
keld at dkuug.dk
Sun Jul 18 02:42:22 EST 2004
On Sat, Jul 17, 2004 at 06:04:01PM +0200, Markus Friedl wrote:
> On Sat, Jul 17, 2004 at 05:04:15PM +0200, Keld Jørn Simonsen wrote:
> > I understand that my level of competence here is way lower than that of
> > a openssh hacker, but anyway, where there is a will, there is a way.
> > I am appauled by the ease it is to use the ssh-agent for an intruder.
>
> i think there is not point in using inherited file descriptors
> instead of a socket. it's just a waste of time, and there even was
> (broken) code in older versions of ssh for doing this, but it got
> removed for several reasons.
Yes, maybe it is not doable. I just want to avoid really obvious ways of
misusing ssh-agent. I think all I ask for is a little
uncomprehensiveness, that the root intruder cannot just break things
with obvious use of standard tools, but that he will have to do some
programming.
Care to tell me the reasons for removing inherited sockets? Then I could
possibly take my crazy ideas off my mind.
> moreover, there is no way to protect the agent against root.
I was thinking of things that only could be done if the system calls
were allowable.
>
> the agent never discloses the private key over the socket. additionally,
> the agent disallows use of the key for users with a different uid prevented
> (with getpeereuid(2)).
Hmm, could you prevent it to root? I know, root can do everything.
But you could check the uid and euid. Then root needs to make both to
the actual user. Hmm, login user....
best regards
keld
More information about the openssh-unix-dev
mailing list