Might a patch to ssh-agent to allow relaxing of peer euid check be accepted?

Matthew Miller mattdm at mattdm.org
Thu May 19 23:25:30 EST 2011

Peter Stuge wrote:
>> Right now, ssh-agent makes a check using getpeereid(), and declines
>> access if it fails. This is very sensible in general, but breaks this
>> particular case. Might a patch to allow an option to ssh-agent to relax
>> the check be accepted?
> I doubt it. I would suggest that you implement an ssh-agent proxy to sit
> in front of the actual agent, running as keyholder, where you implement
> policy.

That's an interesting idea. However, for this case, that introduces
complication without particular benefit, as we're not wanting to implement
any particular policy but rather have ssh-agent _refrain_ from enforcing a
hard-coded one. Without the check, simple policy can be implemented at the
filesystem level (or through various security modules).

It's worth noting that sshd itself doesn't implement the policy that
ssh-agent does. If you forward your ssh-agent connection to a remote
machine, there is no similar check.

So, I do hope the simple patch can be considered.

Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>

More information about the openssh-unix-dev mailing list