Re: Is it good for agent forwarding to creates socket in /tmp/

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



OpenSSH takes at least two precautions to protect against other users
connecting to the agent forwarding socket. First it creates a temporary
subdirectory for each socket, this directory has permissions drwx------.
This is because BSDs and Linux differ in how they handle permissions on a
UNIX socket itself (1). Second it validates the identity of the process
connecting the the auth socket (2).

Hope this helps,


Dustin Lundquist


[1]
https://unix.stackexchange.com/questions/83032/which-systems-do-not-honor-socket-read-write-permissions
[2]
https://github.com/openssh/openssh-portable/blob/9f0e44e1a0439ff4646495d5735baa61138930a9/ssh-agent.c#L796-L806

On Wed, Nov 1, 2017 at 3:26 AM, tran dung <trandung0101@xxxxxxxxx> wrote:

> Hi
>
> After logging in to a remote server with ForwardAgent enabled, sshd on the
> remote server creates a socket at /tmp/ and permission is 0755/srwxr-xr-x.
>
> What is the reason to allow everyone to read this socket?
> Also, is it better to save this socket in /home/user/.ssh/?
>
>
> Best Regards
> -----------------------
> Tran Dung
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux