Is it good for agent forwarding to creates socket in /tmp/
tran dung
trandung0101 at gmail.com
Thu Nov 2 14:31:09 AEDT 2017
Hi Alexander Wuerstlein
Thank for the information.
Now I agree that it's better to save the socket in /tmp/
I checked the source code and found that it is hard-coded.
/* Allocate a buffer for the socket name, and format the name. */
auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
It would be nice if openssh provides an option to overwrite this default.
Regards
Tran
Best Regards
-----------------------
Tran Van Dung
On Wed, Nov 1, 2017 at 10:19 PM, Alexander Wuerstlein <arw at cs.fau.de> wrote:
> On 2017-11-01T11:27, tran dung <trandung0101 at gmail.com> wrote:
> > Hi
> >
> > After logging in to a remote server with ForwardAgent enabled, sshd on
> the
> > remote server creates a socket at /tmp/ and permission is
> 0755/srwxr-xr-x.
> > What is the reason to allow everyone to read this socket?
>
> I can't answer that part really.
>
> I only vaguely remember that for sockets in some operating systems the
> permissions are ignored and only ownership grants any access. But I'm
> really not sure.
>
> > Also, is it better to save this socket in /home/user/.ssh/?
>
> No. Sockets are special files, and the home directory is often mounted
> via some network file system like NFS, SMB or AFS. Depending on type and
> configuration, sockets won't be able to exist there, so you need a
> filesystem that supports them, which /tmp should always do. Also,
> network file systems will create the additional headache of making sure
> that the socket's name is unique across the whole network, not just the
> local machine. Thats why a local filesystem is preferable. And then
> there is the argument that its messy to put the socket in ~/.ssh, since
> ~/.ssh is for more permanent kinds of files, whereas the socket is
> temporary in nature, thus belonging in /tmp.
>
>
>
> Ciao,
>
> Alexander Wuerstlein.
>
More information about the openssh-unix-dev
mailing list