vulnerability with ssh-agent

[Peter Stuge]

On Sat, Jul 17, 2004 at 05:04:15PM +0200, Keld Jørn Simonsen wrote:
> I understand that my level of competence here is way lower than that of
> a openssh hacker, but anyway, where there is a will, there is a way. 

Not always.. I don't want Windows to crash..


> I am appauled by the ease it is to use the ssh-agent for an intruder.

So don't use it.

I'm being redundant now, but you can not protect regular user resources
from root priviledge. If someone gets root in your system, game over,
do restore and/or reinstall.


> socket:[number] but I am not sure of this. This is the name that is
> recorded in /proc/pid/fd

This is just the Linux kernel (procfs, specifically) way of telling
you that the fd is a socket. The number is likely an internal kernal
reference to it.


> and it is probably accessible for a program with root permissions
> without inheriting the fd.

Again, being redundant; _everything_ in the system is accessible for
a program with root permissions. Absolutely everything.

Unless..

..you really want to lock your system down, in that case please have
a look at systrace, which allows very precise control over what
userspace software can do and can not do to the system.


> I also need to consider whether the ssh -c option is enough for me
> and my small advisory, and if it works as I would like it to do.

Not ssh -c, ssh-add -c. It's as good as it can get with the agent.


> Anyway, I don't expect that people from the list comment on this. I
> understand that I need to show something more concrete to the list,
> and I think I will find the time to dwelve into it, but if you feel
> like it, you are welcome to comment and save me some hours on
> digging out documentation and hacking. 

Keep in mind that the agent and your private keys should only be on
trusted systems, otherwise you'll lose just the same. :)

Hope this helps.


//Peter