Index | Thread | Search

From:
"Theo de Raadt" <deraadt@openbsd.org>
Subject:
Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/
To:
Jesper Wallin <jesper@ifconfig.se>
Cc:
tech@openbsd.org
Date:
Tue, 29 Apr 2025 07:48:35 -0600

Download raw body.

Thread 
~/can be on NFS, whereas /tmp is gauranteed to be local.

Your proposal has some pretty big consequences.

As for your problem with /tmp versus in a sub-directory of home, I
don't see how this is actually solving it.

Unveil does not solve the problem if non-unveiled programs accessing
files.  It only prevents unveiled programs from accessing such files,
obviously.

Jesper Wallin <jesper@ifconfig.se> wrote:

> Hi all,
> 
> A program may use unveil(2) to limit access to the filesystem in case
> the program is compromised.  This will hopefully keep sensitive files
> like your private keys in ~/.ssh safe when behemoths like firefox or
> chromium are compromised.  However, these programs also require access
> to /tmp and many of the moving parts have "rwc" access to it.
> 
> Now, when you start xenodm and have a valid ssh key in your ~/.ssh, it
> will run ssh-agent and ssh-add, which asks for your password and add it
> to the running agent.
> 
> If no bind_address is specified (-a) for ssh-agent, it will create a
> socket in $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> and set $SSH_AUTH_SOCK.
> 
> In other words, a program that has access to /tmp, can also access the
> socket for ssh-agent and use your unlocked keys to authenticate with.
> 
> So, a simple fix for this would be to move the socket out of /tmp and
> place it in ~/.ssh/ or something.  Maybe there's a package that needs
> access to the agent but still no access to ~/.ssh?  I could probably be
> wrong here, but /tmp seems like a too "broad" directory to place it in,
> in terms of unveil(2) and restricting filesystem access.
> 
> 
> Index: app/xenodm/config/Xsession.in
> ===================================================================
> RCS file: /cvs/xenocara/app/xenodm/config/Xsession.in,v
> diff -u -p -r1.2 Xsession.in
> --- app/xenodm/config/Xsession.in	1 Jul 2022 20:42:06 -0000	1.2
> +++ app/xenodm/config/Xsession.in	23 Apr 2025 07:35:41 -0000
> @@ -28,7 +28,7 @@ then
>  	for k in id_rsa id_ecdsa id_ecdsa_sk id_ed25519 id_ed25519_sk id_dsa
>  	do
>  		if [ -f "$HOME/.ssh/$k" ]; then
> -			eval `ssh-agent -s`
> +			eval `ssh-agent -s -a "$HOME/.ssh/ssh-agent.socket"`
>  			ssh-add < /dev/null
>  			break
>  		fi
>