On 19.07.23 16:40, Damien Miller wrote:
Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries.
Upon trying to deploy such a workaround, I found that the call to ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup mechanisms. (As in, did "find | xargs grep ssh-agent" and such across the entire OS install and *still* haven't found it.)
Feature request: Please consider giving ssh-agent(1) a config file(s) to drop at least the potentially security-relevant options into.
(One would think that when the maintainers of hulking package X call out to an executable of entirely different package Y that has a nontrivial command line syntax, it'd be a no-brainer to put an X-maintained wrapper script in between, just in case that the maintainers of Y pull an ncat(1) and rename a bunch of options, but noooo ...)
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
