Darren Tucker wrote:
> Corinna Vinschen wrote:
>> ? Is there any good reason why root should be able to connect to the
>> ssh-agent of a user? What is that reason?

>
> ssh is setuid root in some configurations (eg for
> RhostsRSAAuthentication, UsePrivilegedPort).


Hmm, on the other hand, ssh should have dropped privs by that point anyway.

On the other, other hand, it doesn't buy any additional protection since
all root has to do is "su user -c ssh whatever".

Maybe it's to allow the use of the agent when someone su's (or sudo's) to
root? The cvs log on ssh-agent.c (rev 1.113) says:

- markus@cvs.openbsd.org 2002/10/01 20:34:12
[ssh-agent.c]
allow root to access the agent, since there is no protection from root.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev