Re: ssh-agent and Linux



On Tue, 27 Mar 2007 14:33:40 +0000, Per Hedeland wrote:

In article <pan.2007.03.27.11.20.59@xxxxxxxxxxx> Harold Weissman
<HaroldW22@xxxxxxxxxxx> writes:
On Tue, 27 Mar 2007 03:57:46 +0000, Neil W Rickert wrote:

Harold Weissman <HaroldW22@xxxxxxxxxxx> writes:

I frequently run ssh-agent with its socket created at a different
location than the default one. When one does a ps command, one can see
where the socket has been created.

Would it be possible to do things in such a way that ps does not
reveal this information?

What would be the point, when the "netstat" command can give out the
same information?

Is it not the case that with netstat you need root privileges in
order to display the socket and the name of the application it is
associated with?

YMMV, but typically no to the first and yes to the second. However there
is another issue (and I suspect this is what Neil was actually thinking
about) - for ssh-agent to be of any use, the location of the socket must
be communicated to ssh (and ssh-add), which is done via the environment
- and this is also (typically) visible via 'ps':

$ ps ewww $$
PID TT STAT TIME COMMAND
7777 p1 Ss 0:03.35 USER=per ...
SSH_AUTH_SOCK=/tmp/ssh-aeTf2JUD9e/agent.7717 ...

The protection of the socket has be based on file system access rights,
trying to hide it away in a non-standard location doesn't really help.

But again, is it not the case that for the ps command above to
print out that it must be issued by the owner of the relevant process, or
by root?
.