From: "Ted Unangst" <tedu@tedunangst.com>
Subject: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/
To: "Theo de Raadt" <deraadt@openbsd.org>
Cc: "Jesper Wallin" <jesper@ifconfig.se>, tech@openbsd.org
Date: Tue, 29 Apr 2025 13:59:55 -0400

On 2025-04-29, Theo de Raadt wrote:
> ~/can be on NFS, whereas /tmp is gauranteed to be local.

Does that matter? There can be several sockets, and just having
one from another machine doesn't mean anything, ssh won't use it.
The environment will only point to the one that works on the
local machine.

> As for your problem with /tmp versus in a sub-directory of home, I
> don't see how this is actually solving it.
> 
> Unveil does not solve the problem if non-unveiled programs accessing
> files.  It only prevents unveiled programs from accessing such files,
> obviously.

Most of the big baddies are using unveil, fortunately, it's just that
they generally get a pretty big view to /tmp.

For a more out there proposal, if it's necessary to be local, we
could use /var/run/ssh-agent. (ssh-agent is setgid.)