ssh-agent allowing access to other users?

Tollef Fog Heen tfheen at err.no
Tue Apr 2 16:29:55 EST 2013


]] Ángel González 

Daniel, thanks a lot for following up on this, I've been pondering how
to do it over Easter, but not gotten around to actually writing any
mails.

> As for the problem of Tollef due to an evil ssh-agent (clever trick!),
> a solution would be to make /usr/bin/ssh-agent sgid to another group
> (eg. ‘good-agent’), then check in the sudo snippet (you better make a
> script...) that $SSH_AUTH_SOCK belongs to that group (and thus was
> created by the trusted code).

I had an idea along those lines, yes, and it will mostly work, except:

ssh-agent is currently (in my setup) sgid ssh.  Almost as the first
thing in main, it does a setegid(getgid()); setgid(getgid()), so the
socket itself is gid tfheen, not gid ssh.  I am not entirely sure why it
drops those privileges (gid ssh is, as Daniel explains, merely used to
prevent ptracing the process, thereby preventing leaked keys caused by
an exploit of other processes belonging to the user), or if it could be
taught not to.

> Under Linux (which is what Tollef seems to be using) it would apparently
> work.
> Anyone seeing a hole in that method?

Correct, I'm on Linux (Debian to be precise).

Cheers,
-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


More information about the openssh-unix-dev mailing list