ssh-agent allowing access to other users?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Apr 2 08:36:08 EST 2013


hi openssh folks--

thanks to openbsd-compat/getpeereuid.c, ssh-agent refuses to allow
connections from other users.  This is great in the general case, but in
some cases, i would like to use the agent to mask off access to the raw
public key material but make it available for use by other user accounts.

For an example use case, see what Tollef (cc'ed here) was trying to do
in [0].  running the agent as one user and permitting access from
another user via filesystem permissions currently fails due to the euid
check in ssh-agent.c.

Is it unreasonable to propose a slight weakening of this check when
deliberately configured?  If so, what interface would seem most
reasonable to permit?

Some example interface choices:

 A) ssh-agent could take a new -g option indicating the name of a unix
group; if a peer's euid is a member of that group (based on the same
logic used by sshd's AllowGroups option) then access would be granted.

 B) the SSH_ALLOWED_EUIDS environment variable for the ssh-agent process
could be read as a whitespace-separated list of acceptable numeric uids
to allow connections from?

 C) some other configuration interface/authorization interface?  I'm
open to suggestions...

I'd be happy to write up a patch for A or B if folks think either would
be reasonable.

Feedback?  Thoughts?

Regards,

	--dkg


[0]
http://err.no/personal/blog/tech/2013-03-22-09-45_sharing_an_ssh_key_securely.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130401/74301c75/attachment.bin>


More information about the openssh-unix-dev mailing list