Bug#882475: marked as done (weird access permission to ssh-agent's socket)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 23 Nov 2017 11:10:38 +0000
with message-id <20171123111038.dgg3cbgu3q4npwg4@riva.ucam.org>
and subject line Re: Bug#882475: weird access permission to ssh-agent's socket
has caused the Debian Bug report #882475,
regarding weird access permission to ssh-agent's socket
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
882475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882475
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: weird access permission to ssh-agent's socket
• From: Harald Dunkel <harald.dunkel@aixigo.de>
• Date: Thu, 23 Nov 2017 11:47:27 +0100
• Message-id: <[🔎] 9338eabf-196d-3e5b-26af-4508e4bcb551@aixigo.de>

Package: openssh-server
Version: 1:7.4p1-10+deb9u1

If I run "ssh somehost", then a new ssh-agent is started with weird
access permissions on its socket. Sample session:

% ls -al $SSH_AUTH_SOCK
srw------- 1 hdunkel users 0 Nov 23 11:25 /tmp/ssh-D65j4nl0gu7k/agent.3243
% ssh localhost
Linux dpcl082.ac.aixigo.de 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64

% ls -al $SSH_AUTH_SOCK
srwxr-xr-x 1 hdunkel users 0 Nov 23 11:42 /tmp/ssh-svX5x2DI9l/agent.6837


The first ssh-agent was created by lightdm at login time, AFAICT. In my
understanding the access permissions on the socket for the second ssh-agent
are way too permissive by default.

Can you confirm?


.ssh/config:

Host *
        AddKeysToAgent yes
        ForwardAgent yes


Regards
Harri

--- End Message ---

--- Begin Message ---

• To: Harald Dunkel <harald.dunkel@aixigo.de>, 882475-close@bugs.debian.org
• Subject: Re: Bug#882475: weird access permission to ssh-agent's socket
• From: Colin Watson <cjwatson@debian.org>
• Date: Thu, 23 Nov 2017 11:10:38 +0000
• Message-id: <20171123111038.dgg3cbgu3q4npwg4@riva.ucam.org>
• In-reply-to: <[🔎] 9338eabf-196d-3e5b-26af-4508e4bcb551@aixigo.de>
• References: <[🔎] 9338eabf-196d-3e5b-26af-4508e4bcb551@aixigo.de>

On Thu, Nov 23, 2017 at 11:47:27AM +0100, Harald Dunkel wrote:
> If I run "ssh somehost", then a new ssh-agent is started with weird
> access permissions on its socket. Sample session:
> 
> % ls -al $SSH_AUTH_SOCK
> srw------- 1 hdunkel users 0 Nov 23 11:25 /tmp/ssh-D65j4nl0gu7k/agent.3243
> % ssh localhost
> Linux dpcl082.ac.aixigo.de 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64
> 
> % ls -al $SSH_AUTH_SOCK
> srwxr-xr-x 1 hdunkel users 0 Nov 23 11:42 /tmp/ssh-svX5x2DI9l/agent.6837
> 
> 
> The first ssh-agent was created by lightdm at login time, AFAICT. In my
> understanding the access permissions on the socket for the second ssh-agent
> are way too permissive by default.

The containing directory is mode 700 (drwx------), so it doesn't matter
whether the socket itself has wider permissions.  Furthermore, ssh-agent
checks the identity of processes connecting to that socket using
getpeereid() to be on the safe side.  It's this way for portability,
since BSD systems handle socket permissions differently.

See this recent thread on openssh-unix-dev:

  https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-November/036418.html

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---