Mailing List Archive

From:: Jesper Wallin <jesper@ifconfig.se>
Subject:: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/
To:: Theo de Raadt <deraadt@openbsd.org>
Cc:: tech@openbsd.org
Date:: Tue, 29 Apr 2025 16:31:58 +0200

Download raw body.

Thread

2025-04-29 14:03 Jesper Wallin:
Move the ssh-agent socket from /tmp to $HOME/.ssh/
- 2025-04-29 14:06 Theo de Raadt:
  Move the ssh-agent socket from /tmp to $HOME/.ssh/
- - 2025-04-29 14:31 Jesper Wallin:
    Move the ssh-agent socket from /tmp to $HOME/.ssh/
  - - 2025-04-29 14:33 Theo de Raadt:
      Move the ssh-agent socket from /tmp to $HOME/.ssh/
    - 2025-04-29 14:49 Stuart Henderson:
      Move the ssh-agent socket from /tmp to $HOME/.ssh/

On Tue, Apr 29, 2025 at 08:06:54AM -0600, Theo de Raadt wrote:
> Jesper Wallin <jesper@ifconfig.se> wrote:
> 
> > On Tue, Apr 29, 2025 at 07:48:35AM -0600, Theo de Raadt wrote:
> > > ~/can be on NFS, whereas /tmp is gauranteed to be local.
> > > 
> > > Your proposal has some pretty big consequences.
> > 
> > Oh, good point.  Yeah, that complicates things.
> >  
> > > As for your problem with /tmp versus in a sub-directory of home, I
> > > don't see how this is actually solving it.
> > > 
> > > Unveil does not solve the problem if non-unveiled programs accessing
> > > files.  It only prevents unveiled programs from accessing such files,
> > > obviously.
> > 
> > Hehe, obviously.
> > 
> > The scenario I had in mind was Firefox, where each process is unveiled
> > to only have accesses to the file and directories it needs access to.
> > Though, every single process of Firefox has 'rwc' access to /tmp.
> > 
> > So if Firefox got compromised, it can still access my ssh-agent socket
> > that lives in /tmp.  Though, Firefox does not have access to ~/.ssh.
> 
> And what does firefox do then?
> 

I just though having access to ones ssh-agent was bad and that an
attacker could use it to authenticate with the added keys.  But yeah,
even if that statement is true, the attacker doesn't know where those
keys are being used.  So yeah, maybe a bit far fetched.


Though, another solution, *if* this is a problem at all that is, would
be to use ssh-add with -c.  Then it doesn't matter where socket is
located.  Though, if it's not a problem, my apologies for the noise. :-)


Index: app/xenodm/config/Xsession.in
===================================================================
RCS file: /cvs/xenocara/app/xenodm/config/Xsession.in,v
diff -u -p -r1.2 Xsession.in
--- app/xenodm/config/Xsession.in	1 Jul 2022 20:42:06 -0000	1.2
+++ app/xenodm/config/Xsession.in	29 Apr 2025 14:30:27 -0000
@@ -29,7 +29,7 @@ then
 	do
 		if [ -f "$HOME/.ssh/$k" ]; then
 			eval `ssh-agent -s`
-			ssh-add < /dev/null
+			ssh-add -c < /dev/null
 			break
 		fi
 	done

2025-04-29 14:03 Jesper Wallin:
Move the ssh-agent socket from /tmp to $HOME/.ssh/
- 2025-04-29 14:06 Theo de Raadt:
  Move the ssh-agent socket from /tmp to $HOME/.ssh/
- - 2025-04-29 14:31 Jesper Wallin:
    Move the ssh-agent socket from /tmp to $HOME/.ssh/
  - - 2025-04-29 14:33 Theo de Raadt:
      Move the ssh-agent socket from /tmp to $HOME/.ssh/
    - 2025-04-29 14:49 Stuart Henderson:
      Move the ssh-agent socket from /tmp to $HOME/.ssh/