Re: Is it good for agent forwarding to creates socket in /tmp/

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Alexander Wuerstlein

Thank for the information.

Now I agree that it's better to save the socket in /tmp/
I checked the source code and found that it is hard-coded.
        /* Allocate a buffer for the socket name, and format the name. */
        auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
It would be nice if openssh provides an option to overwrite this default.

Regards
Tran


Best Regards
-----------------------
Tran Van Dung

On Wed, Nov 1, 2017 at 10:19 PM, Alexander Wuerstlein <arw@xxxxxxxxx> wrote:

> On 2017-11-01T11:27, tran dung <trandung0101@xxxxxxxxx> wrote:
> > Hi
> >
> > After logging in to a remote server with ForwardAgent enabled, sshd on
> the
> > remote server creates a socket at /tmp/ and permission is
> 0755/srwxr-xr-x.
> > What is the reason to allow everyone to read this socket?
>
> I can't answer that part really.
>
> I only vaguely remember that for sockets in some operating systems the
> permissions are ignored and only ownership grants any access. But I'm
> really not sure.
>
> > Also, is it better to save this socket in /home/user/.ssh/?
>
> No. Sockets are special files, and the home directory is often mounted
> via some network file system like NFS, SMB or AFS. Depending on type and
> configuration, sockets won't be able to exist there, so you need a
> filesystem that supports them, which /tmp should always do. Also,
> network file systems will create the additional headache of making sure
> that the socket's name is unique across the whole network, not just the
> local machine. Thats why a local filesystem is preferable. And then
> there is the argument that its messy to put the socket in ~/.ssh, since
> ~/.ssh is for more permanent kinds of files, whereas the socket is
> temporary in nature, thus belonging in /tmp.
>
>
>
> Ciao,
>
> Alexander Wuerstlein.
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux