Is it good for agent forwarding to creates socket in /tmp/

tran dung trandung0101 at
Thu Nov 2 14:31:09 AEDT 2017

Hi Alexander Wuerstlein

Thank for the information.

Now I agree that it's better to save the socket in /tmp/
I checked the source code and found that it is hard-coded.
        /* Allocate a buffer for the socket name, and format the name. */
        auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
It would be nice if openssh provides an option to overwrite this default.


Best Regards
Tran Van Dung

On Wed, Nov 1, 2017 at 10:19 PM, Alexander Wuerstlein <arw at> wrote:

> On 2017-11-01T11:27, tran dung <trandung0101 at> wrote:
> > Hi
> >
> > After logging in to a remote server with ForwardAgent enabled, sshd on
> the
> > remote server creates a socket at /tmp/ and permission is
> 0755/srwxr-xr-x.
> > What is the reason to allow everyone to read this socket?
> I can't answer that part really.
> I only vaguely remember that for sockets in some operating systems the
> permissions are ignored and only ownership grants any access. But I'm
> really not sure.
> > Also, is it better to save this socket in /home/user/.ssh/?
> No. Sockets are special files, and the home directory is often mounted
> via some network file system like NFS, SMB or AFS. Depending on type and
> configuration, sockets won't be able to exist there, so you need a
> filesystem that supports them, which /tmp should always do. Also,
> network file systems will create the additional headache of making sure
> that the socket's name is unique across the whole network, not just the
> local machine. Thats why a local filesystem is preferable. And then
> there is the argument that its messy to put the socket in ~/.ssh, since
> ~/.ssh is for more permanent kinds of files, whereas the socket is
> temporary in nature, thus belonging in /tmp.
> Ciao,
> Alexander Wuerstlein.

More information about the openssh-unix-dev mailing list