From: Jay Acuna <mysidia@gmail.com>
Subject: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/
To: Ted Unangst <tedu@tedunangst.com>
Cc: Theo de Raadt <deraadt@openbsd.org>, Jesper Wallin <jesper@ifconfig.se>, tech@openbsd.org
Date: Tue, 29 Apr 2025 14:49:41 -0500

On Tue, Apr 29, 2025 at 1:00 PM Ted Unangst <tedu@tedunangst.com> wrote:
> On 2025-04-29, Theo de Raadt wrote:
> > ~/can be on NFS, whereas /tmp is gauranteed to be local.

> Does that matter? There can be several sockets, and just having
> one from another machine doesn't mean anything, ssh won't use it.

I think the SSH socket files are inherently temporary and ~  is not meant
to be used as app scratch space for temp files.   As mentioned;
the homedir is commonly a remote mount.

I would have an alternate suggestion..  create a  mkdir -p
/tmp/username.private.$$/ssh subdirectory
within /tmp   and choose that subdirectory for the SSH socket.

Then use your unveil(2) to subdivide the restrictions on /tmp  further
and  block access to everything
below that  user's  /tmp/username.private.$$   subdirectory    that
has the ssh subdirectory
while still allowing access at  the  /tmp  folder  level itself.

--
-JA