openssh-agent polling

Jefferson Ogata Jefferson.Ogata at
Mon Sep 17 11:13:05 EST 2007

On 09/17/07 01:05, Damien Miller wrote:
> On Mon, 17 Sep 2007, Jefferson Ogata wrote:
>>> This might connect you to a hostile ssh-agent that harvests your keys.
>> That's precisely what the -O "$x" is there to prevent.
> Sorry - I missed that. There is still a small, unlikely race if an agent
> is exiting at the moment you shell initialisation is running :)

True, and in retrospect I think there's a race on someone doing
somethink like the following:

mkdir /tmp/ssh-00000
ln /tmp/ssh-XYXYXYX/agent.11111 /tmp/ssh-00000/

where /tmp/XYXYXY/agent.11111 is a legitimate agent running as the user.

Then wait till the user has found it, and

rm /tmp/ssh-00000
ln /tmp/ssh-ZZZZZZZ/agent.31337 /tmp/ssh-00000/

where /tmp/ssh-ZZZZZZZZ/agent.31337 is the harvester.

There are ways of mitigating this--check ownership of /tmp/ssh-ZZZZZZZZ
directory as well (should be root), but overall I agree with you that
the explicit location in the user's home is superior. I actually have
always wondered why the agent sockets have been put under /tmp and not ~
or ~/.ssh.

Jefferson Ogata <Jefferson.Ogata at>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at>
"Never try to retrieve anything from a bear."--National Park Service

More information about the openssh-unix-dev mailing list