Might a patch to ssh-agent to allow relaxing of peer euid check be accepted?
Wout Mertens
wmertens at cisco.com
Thu May 19 23:51:46 EST 2011
On May 19, 2011, at 15:25 , Matthew Miller wrote:
> Peter Stuge wrote:
>>> Right now, ssh-agent makes a check using getpeereid(), and declines
>>> access if it fails. This is very sensible in general, but breaks this
>>> particular case. Might a patch to allow an option to ssh-agent to relax
>>> the check be accepted?
>> I doubt it. I would suggest that you implement an ssh-agent proxy to sit
>> in front of the actual agent, running as keyholder, where you implement
>> policy.
>
> That's an interesting idea. However, for this case, that introduces
> complication without particular benefit, as we're not wanting to implement
> any particular policy but rather have ssh-agent _refrain_ from enforcing a
> hard-coded one. Without the check, simple policy can be implemented at the
> filesystem level (or through various security modules).
Why not simply give each user their own private key and add/remove it from the authorized_keys at the appropriate times?
Wout.
More information about the openssh-unix-dev
mailing list