SSH agent access - SSH

This is a discussion on SSH agent access - SSH ; Using OpenSSH on a Linux box, I get my SSH environment set up when my desktop starts. That is, when the desktop is launched, associated with the desktop an SSH agent is started. After that, every new terminal emulator (at ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: SSH agent access

  1. SSH agent access

    Using OpenSSH on a Linux box, I get my SSH environment set up when my
    desktop starts. That is, when the desktop is launched, associated with
    the desktop an SSH agent is started. After that, every new terminal
    emulator (at least, common ones like xterm) that I start at the desktop
    inherits the environment variables SSH_AGENT_PID and SSH_AUTH_SOCK, which
    further allow me to let the SSH agent know about my credentials, by means
    of the ssh-add command.

    Imagine now that I start a shell into this box bypassing the desktop.
    Is there a simple whereby this shell can get access to SSH_AGENT_PID and
    SSH_AUTH_SOCK, as defined in the desktop? I could of course create another
    SSH agent, but I want to have just one SSH agent running at all times.

    The only way I have found so far to do it is by making sure that the
    values of SSH_AGENT_PID and SSH_AUTH_SOCK are written to a file that is
    accessible from the newly created shell. This is clumsy and insecure, and
    I wonder if there is a better way?



  2. Re: SSH agent access

    >>>>> "AD" == Augustus SFX van Dusen writes:

    AD> The only way I have found so far to do it is by making
    AD> sure that the values of SSH_AGENT_PID and SSH_AUTH_SOCK are
    AD> written to a file that is accessible from the newly created
    AD> shell. This is clumsy and insecure, and I wonder if there is a
    AD> better way?

    It is not particularly insecure, since agent access control does not
    depend on keeping the socket location secret.

    As for a better way: you set your SSH_AUTH_SOCK to a constant value, say
    ~/.ssh-agent, and maintain that as a symlink to the current agent socket
    as part of the login process that starts the agent.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: SSH agent access

    On 2006-01-18, Augustus SFX van Dusen wrote:
    [...]
    > Imagine now that I start a shell into this box bypassing the desktop.
    > Is there a simple whereby this shell can get access to SSH_AGENT_PID and
    > SSH_AUTH_SOCK, as defined in the desktop? I could of course create another
    > SSH agent, but I want to have just one SSH agent running at all times.
    >
    > The only way I have found so far to do it is by making sure that the
    > values of SSH_AGENT_PID and SSH_AUTH_SOCK are written to a file that is
    > accessible from the newly created shell. This is clumsy and insecure, and
    > I wonder if there is a better way?


    That's what you need to do (and there are tools like Gentoo's keychain
    to help) but it's not insecure. SSH_AGENT_PID and SSH_AUTH_SOCK are
    environment variables which are visible to any user on the system (try
    "ps auxewww |grep SSH_AGENT_").

    ssh-agent's security comes from the permissions of the socket (read/write
    only by the user in question) and, on platforms that support it (which
    includes Linux), the effective uid of the process connecting to the
    socket is compared to that of the one that started the agent. If they
    don't match then the agent doesn't respond.

    Of course, if your account is compromised (or an attacker gets root)
    then they may use the agent. To mitigate against that you may limit
    the lifetime of keys (the "-t" option to both ssh-agent and ssh-add),
    by requiring use of a key to be confirmed (ssh-add -c), or by locking
    the agent when not being used (ssh-add -x/-X). Note that a determined
    attacker with root access could probably overcome some or all of these.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  4. Re: SSH agent access

    On 2006-01-19, Richard E. Silverman wrote:
    > As for a better way: you set your SSH_AUTH_SOCK to a constant value, say
    > ~/.ssh-agent, and maintain that as a symlink to the current agent socket
    > as part of the login process that starts the agent.


    You don't even need the symlink: you can specify the location of the socket
    when you start the agent (ssh-agent -a /path/to/socket).

    If you have a shared home dir (eg NFS /home) then you probably want to
    stick the hostname somewhere in the path, though.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  5. Re: SSH agent access

    Thanks everybody for your replies. I guess that instructing ssh-agent to
    create and use a fixed socket under $HOME/.ssh should do the trick.



+ Reply to Thread