From: Jesper Wallin Subject: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/ To: Theo de Raadt Cc: tech@openbsd.org Date: Tue, 29 Apr 2025 16:31:58 +0200 On Tue, Apr 29, 2025 at 08:06:54AM -0600, Theo de Raadt wrote: > Jesper Wallin wrote: > > > On Tue, Apr 29, 2025 at 07:48:35AM -0600, Theo de Raadt wrote: > > > ~/can be on NFS, whereas /tmp is gauranteed to be local. > > > > > > Your proposal has some pretty big consequences. > > > > Oh, good point. Yeah, that complicates things. > > > > > As for your problem with /tmp versus in a sub-directory of home, I > > > don't see how this is actually solving it. > > > > > > Unveil does not solve the problem if non-unveiled programs accessing > > > files. It only prevents unveiled programs from accessing such files, > > > obviously. > > > > Hehe, obviously. > > > > The scenario I had in mind was Firefox, where each process is unveiled > > to only have accesses to the file and directories it needs access to. > > Though, every single process of Firefox has 'rwc' access to /tmp. > > > > So if Firefox got compromised, it can still access my ssh-agent socket > > that lives in /tmp. Though, Firefox does not have access to ~/.ssh. > > And what does firefox do then? > I just though having access to ones ssh-agent was bad and that an attacker could use it to authenticate with the added keys. But yeah, even if that statement is true, the attacker doesn't know where those keys are being used. So yeah, maybe a bit far fetched. Though, another solution, *if* this is a problem at all that is, would be to use ssh-add with -c. Then it doesn't matter where socket is located. Though, if it's not a problem, my apologies for the noise. :-) Index: app/xenodm/config/Xsession.in =================================================================== RCS file: /cvs/xenocara/app/xenodm/config/Xsession.in,v diff -u -p -r1.2 Xsession.in --- app/xenodm/config/Xsession.in 1 Jul 2022 20:42:06 -0000 1.2 +++ app/xenodm/config/Xsession.in 29 Apr 2025 14:30:27 -0000 @@ -29,7 +29,7 @@ then do if [ -f "$HOME/.ssh/$k" ]; then eval `ssh-agent -s` - ssh-add < /dev/null + ssh-add -c < /dev/null break fi done