Hi Alexander Wuerstlein Thank for the information. Now I agree that it's better to save the socket in /tmp/ I checked the source code and found that it is hard-coded. /* Allocate a buffer for the socket name, and format the name. */ auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX"); It would be nice if openssh provides an option to overwrite this default. Regards Tran Best Regards ----------------------- Tran Van Dung On Wed, Nov 1, 2017 at 10:19 PM, Alexander Wuerstlein <arw@xxxxxxxxx> wrote: > On 2017-11-01T11:27, tran dung <trandung0101@xxxxxxxxx> wrote: > > Hi > > > > After logging in to a remote server with ForwardAgent enabled, sshd on > the > > remote server creates a socket at /tmp/ and permission is > 0755/srwxr-xr-x. > > What is the reason to allow everyone to read this socket? > > I can't answer that part really. > > I only vaguely remember that for sockets in some operating systems the > permissions are ignored and only ownership grants any access. But I'm > really not sure. > > > Also, is it better to save this socket in /home/user/.ssh/? > > No. Sockets are special files, and the home directory is often mounted > via some network file system like NFS, SMB or AFS. Depending on type and > configuration, sockets won't be able to exist there, so you need a > filesystem that supports them, which /tmp should always do. Also, > network file systems will create the additional headache of making sure > that the socket's name is unique across the whole network, not just the > local machine. Thats why a local filesystem is preferable. And then > there is the argument that its messy to put the socket in ~/.ssh, since > ~/.ssh is for more permanent kinds of files, whereas the socket is > temporary in nature, thus belonging in /tmp. > > > > Ciao, > > Alexander Wuerstlein. > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev