ssh-agent for an entire unix group

Omri Bahumi omri.il at gmail.com
Tue Jun 12 05:31:06 EST 2012


Hello everyone,

I've recently needed to allow the use of the same private key to a
group of users without exposing it.
My first idea was to use ssh-agent. After running it I changed the
directory permissions and file permissions,
but it still didn't work (Long story short - one user actually has
access to the private & public key. He launches
the ssh-agent and imports the key. The other users in the group are
able to authenticate with it, but are unable to export it).

Further investigation revealed that there's a hard coded protection
for accessing the agent from other users (besides root).
Even further investigation revealed that this check could not be
omitted, so, I wrote a patch that fixes it.
When running the ssh-agent with the -g flag, the /tmp directory is
created with group read-execute permissions and the
UNIX socket is created with read-write permissions (these are the
permissions required according to the unix(7) man page).

I've checked it and it works. My thoughts are:
1. No one thought about it before or no one needed this feature before
2. There's a security risk in this implementation (other than the
requirement itself)

Attached the patch file. It's a patch against the Debian stable
version, although I checked it against the nighties and it
wouldn't be so hard to integrate it inside the upstream.

So, any comments are much appreciated.

Cheers,
Omri Bahumi.


More information about the openssh-unix-dev mailing list