From: Florian Obser Subject: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/ To: tech@openbsd.org Date: Tue, 29 Apr 2025 17:38:16 +0200 On 2025-04-29 16:31 +02, Jesper Wallin wrote: >> And what does firefox do then? >> > > I just though having access to ones ssh-agent was bad and that an > attacker could use it to authenticate with the added keys. But yeah, > even if that statement is true, the attacker doesn't know where those > keys are being used. So yeah, maybe a bit far fetched. > > > Though, another solution, *if* this is a problem at all that is, would > be to use ssh-add with -c. Then it doesn't matter where socket is > located. Though, if it's not a problem, my apologies for the noise. :-) I think it's a problem, but if your thread modelling includes firefox playing around with the ssh-agent, ssh-add -c doesn't help all that much. I would assume that at that point firefox has arbitrary code execution as your user and can just click the "ok" button. I'd go for a fido hardware token. -- In my defence, I have been left unsupervised.