Using ssh-agent option: -a <socket>

Len_at_Weisberg.com
Date: 08/12/05

• Next message: Pablo Halpern: "Cygwin: ssh-add can't talk to ssh-agent"
• Previous message: Richard E. Silverman: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 11 Aug 2005 18:15:25 -0700

I'd like some advice:

First, a bit of context: I am trying to work out some guidelines for
my workgroup's use of ssh. We all use VNC to log in to a large Unix
server that acts as our workstation.

My question regards ssh-agent: I have always regarded the whole
business of capturing and passing around the two envars
SSH_AUTH_SOCK and SSH_AGENT_PID as rather awkward and fussy.
So I was pleased when I learned (in the fabulous SnailBook, of
course) about the OpenSSH option to ssh-agent: -a <socket> .
I am considering recommending to my group that we use this to
specify a fixed socket name within ~/.ssh/ .

Seems to me this would greatly simplify the envar handling:

 - Just specify in ~/.profile:
      export SSH_AUTH_SOCK=$HOME/.ssh/agent-socket

 - Just forget about SSH_AGENT_PID :
     - AFAIK it is used only when you want to kill ssh-agent .
     - In our environment that doesn't happen very often,
          since our Xvnc sessions last for months.
     - It's pretty easy to find the PID with ps(1) and just use kill;
          or it's easy to write a script to do this.

My question is if there is a significant security risk in making
it so easy for others on the system to find the socket.
Even if you didn't know the convention, the -a arg shows up in the
ps(1) display. Presumably the ~/.ssh directory is pretty well
locked up.

The default is to try to hide the socket in a subdir of /tmp, and to
obscure it with a random name. But the security of this depends on
the same permissions mechanism that protects ~/.ssh .
Or is there significant benefit from this default hiding the socket
from those NOT logged in to the system.

Also, would this scheme have any bearing on the advisability of
allowing agent-forwarding?

(BTW, another of my recommendations will be to use the -t option of
ssh-agent to require re-entering the passphrase every hour or two,
in case you are concerned about long-lasting ssh-agent processes.)

Cheers,
-Len

• Next message: Pablo Halpern: "Cygwin: ssh-add can't talk to ssh-agent"
• Previous message: Richard E. Silverman: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint