openssh-agent polling
Jefferson Ogata
Jefferson.Ogata at noaa.gov
Mon Sep 17 11:13:05 EST 2007
On 09/17/07 01:05, Damien Miller wrote:
> On Mon, 17 Sep 2007, Jefferson Ogata wrote:
>
>>> This might connect you to a hostile ssh-agent that harvests your keys.
>> That's precisely what the -O "$x" is there to prevent.
>
> Sorry - I missed that. There is still a small, unlikely race if an agent
> is exiting at the moment you shell initialisation is running :)
True, and in retrospect I think there's a race on someone doing
somethink like the following:
mkdir /tmp/ssh-00000
ln /tmp/ssh-XYXYXYX/agent.11111 /tmp/ssh-00000/
where /tmp/XYXYXY/agent.11111 is a legitimate agent running as the user.
Then wait till the user has found it, and
rm /tmp/ssh-00000
ln /tmp/ssh-ZZZZZZZ/agent.31337 /tmp/ssh-00000/
where /tmp/ssh-ZZZZZZZZ/agent.31337 is the harvester.
There are ways of mitigating this--check ownership of /tmp/ssh-ZZZZZZZZ
directory as well (should be root), but overall I agree with you that
the explicit location in the user's home is superior. I actually have
always wondered why the agent sockets have been put under /tmp and not ~
or ~/.ssh.
--
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
More information about the openssh-unix-dev
mailing list