i recently noticed something odd about the way forwarded ssh-agent sessions work: when i use ssh-agent and allow it to be forwarded to another host (trusted of course) i noticed that the remote agent does not appear to drop privileges, notice how the socket and socket directory are created in /tmp: [eb@dogbert eb]$ ll -d /tmp/ssh-ONn15369/ drwx------ 2 eb root 1024 Jul 1 12:53 /tmp/ssh-ONn15369/ [eb@dogbert eb]$ ll /tmp/ssh-ONn15369/ total 0 srwxr-xr-x 1 eb root 0 Jul 1 12:53 agent.15369 two problems i see here, 1) the agent is not dropping gid=root privileges when creating the socket, and 2) the agent is not setting a proper create mode when the actual socket is created, the socket should have 0600 permissions IMO, even if it is protected by a `gate' directory. and then i noticed this: [eb@dogbert eb]$ ps aux | grep 15369 root 15369 0.1 1.8 3244 1724 ? S 12:53 0:00 /usr/sbin/sshd eb 15398 0.0 0.5 1260 480 pts/0 S 12:59 0:00 grep 15369 [eb@dogbert eb]$ ps aufx | grep sshd root 14037 0.0 0.9 2240 944 ? S Jun28 0:06 /usr/sbin/sshd root 15369 0.1 1.8 3244 1724 ? S 12:53 0:00 \_ /usr/sbin/sshd eb 15400 0.0 0.5 1260 480 pts/0 S 12:59 0:00 \_ grep sshd [eb@dogbert eb]$ why isn't a ssh-agent process forked to handle the socket? instead we have a fully root owned process listening on a socket, is that safe? -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpfvKa_dF3rX.pgp
Description: PGP signature