Is it good for agent forwarding to creates socket in /tmp/
Jakub Jelen
jjelen at redhat.com
Tue Nov 7 01:04:37 AEDT 2017
On Thu, 2017-11-02 at 16:18 +1100, Damien Miller wrote:
> On Thu, 2 Nov 2017, tran dung wrote:
>
> > Hi Alexander Wuerstlein
> >
> > Thank for the information.
> >
> > Now I agree that it's better to save the socket in /tmp/
> > I checked the source code and found that it is hard-coded.
> > /* Allocate a buffer for the socket name, and format the
> > name. */
> > auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
> > It would be nice if openssh provides an option to overwrite this
> > default.
>
> It does: "ssh-agent -a /path". You'll need to do your own 'mktemp -d'
> or equivalent to get a temporary directory if you want a random-
> looking
> path.
It does for ssh-agent socket location, but not for the agent forwarding
in sshd server [1] as this thread started.
Configuring this in sshd_config could be useful, though I don't see a
big value in it. The tmp is portable and with the measures that OpenSSH
is using also secure.
[1] https://github.com/openssh/openssh-portable/blob/b7548b12a6b2b4abf4
d057192c353147e0abba08/session.c#L201
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
More information about the openssh-unix-dev
mailing list