Permissions on the ssh-agent socket

Alexander Wuerstlein snalwuer at
Sat Mar 24 02:29:34 EST 2007


this may be a stupid question, but I'll ask anyways because I was unable to get
a satisfying answer somwhere else. So feel free to simply point out my stupidity,
if the problem lies only there.

The question:

If I start an ssh-agent, it creates a socket (/tmp/ssh-*/agent.*), with the socket's
and the directory's permissions set to 600. However, if I now connect to a remote host
with agent-forwarding enabled, the resulting socket on the remote host gets
permissions 755 (the directory still gets 700). 

What bothers me is the go+rx part, is there any specific reason to that?
If not, wouldn't it be better to be paranoid and use 600? 

The behaviour above applies to Linux (Debian testing, OpenSSH_4.3p2 Debian-9, 
OpenSSL 0.9.8c 05 Sep 2006), as well as Solaris (Solaris 10 06/06 x86, 
OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006) and FreeBSD (5.4, OpenSSH_3.6.1, SSH
protocols 1.5/2.0, OpenSSL 0x0090804f). Unfortunately I have no OpenBSD box
available to test that behaviour, so it could perhaps only affect portable 


Alexander Wuerstlein.

More information about the openssh-unix-dev mailing list