ssh-agent for an entire unix group

Omri Bahumi at
Tue Jun 12 05:31:06 EST 2012

Hello everyone,

I've recently needed to allow the use of the same private key to a
group of users without exposing it.
My first idea was to use ssh-agent. After running it I changed the
directory permissions and file permissions,
but it still didn't work (Long story short - one user actually has
access to the private & public key. He launches
the ssh-agent and imports the key. The other users in the group are
able to authenticate with it, but are unable to export it).

Further investigation revealed that there's a hard coded protection
for accessing the agent from other users (besides root).
Even further investigation revealed that this check could not be
omitted, so, I wrote a patch that fixes it.
When running the ssh-agent with the -g flag, the /tmp directory is
created with group read-execute permissions and the
UNIX socket is created with read-write permissions (these are the
permissions required according to the unix(7) man page).

I've checked it and it works. My thoughts are:
1. No one thought about it before or no one needed this feature before
2. There's a security risk in this implementation (other than the
requirement itself)

Attached the patch file. It's a patch against the Debian stable
version, although I checked it against the nighties and it
wouldn't be so hard to integrate it inside the upstream.

So, any comments are much appreciated.

Omri Bahumi.

More information about the openssh-unix-dev mailing list