vulnerability with ssh-agent
Keld Jørn Simonsen
keld at dkuug.dk
Thu Jul 15 05:26:27 EST 2004
Jefferson Ogata wrote:
> Keld Jørn Simonsen wrote:
> > I was thinking along the lines of deleting the socket in temp, if an
> > option "delete_ssk_auth_socket" was given in config, and then only
> > processes that inherited the socket via fork() would have access to
> > the socket, via an open file descriptor. An intruder would then need to
> > program opening of an inode that was deleted, which is much harder
> > than just using readily available ssh with an easy-to-find SSH_AUTH_SOCKET.
> > This would work fine in the standard setup, where ssh-agent is
> > launched as part of the initiation of X.
>
> Even if you could make this work, the socket would still be accessible
> to root on Linux under /proc/pid/fd.
Hmm, I had a look, and sure, there were file descriptors in
/proc/pid/fd . But they did not have the same inode description as the
ones in /tmp/ssh-*/ Can these fd's be used in the SSH_AUTH_SOCKET ?
and what are they good for anyway? Who uses them, and could they be
removed (out of the kernel) as a kind of security option?
Or could there be invented other ways so that the ssh-agent could not be
misused by an intruder with root privileges?
Best regards
keld
More information about the openssh-unix-dev
mailing list