1 |
On Mon, 20 Nov 2006, Mick wrote: |
2 |
|
3 |
> On Monday 20 November 2006 17:20, Jorge Almeida wrote: |
4 |
>> I've been reading the ssh-agent documentation (and googling) and it |
5 |
>> seems clear, except for two issues for which I couldn't find any docs: |
6 |
>> |
7 |
>> What (where) is the ssh-agent cache? Some directory where the decrypted |
8 |
>> keys are kept? (I mean, if I keep ssh-agent running all day, is it more |
9 |
>> secure than just having my private keys unencrypted?) |
10 |
> |
11 |
> I understand (but could well be wrong) that the ssh-agent creates a new |
12 |
> directory in /tmp/ with restrictive permissions (0700) and then creates a |
13 |
> unix socket in it, with rather restrictive permissions (0600). Anyone who can |
14 |
> connect to this socket (a hacker?!) could access your decrypted keys. Also, |
15 |
> root can access the socket and therefore your keys. |
16 |
> |
17 |
Well, assuming that you're right, the whole concept is rather |
18 |
disappointing. After all, the private keys have the same restrictive |
19 |
permissions, and if the keys are kept in the clear when the agent is |
20 |
active, then a hacker might fetch the keys from the temporary dir as |
21 |
well as from ~/.ssh (I'm not really taking into account the extra |
22 |
security-by-obscurity provided by the variable path to the socket.) |
23 |
|
24 |
Maybe I didn't understand the whole thing. |
25 |
>> When adding keys with ssh-add, does it use protected memory to get the |
26 |
>> passphrases? |
27 |
> |
28 |
> I believe the above answer covers this too. If you run the ssh-add with |
29 |
> the -c option the agent will run the ssh-askpass when anyone tries to |
30 |
> retrieve the passwords. |
31 |
> |
32 |
What I meant is whether the passphrase to unencrypt a key (in order to |
33 |
put ot in the cache) is really safe. |
34 |
> This is how it used to be last time I looked at it, not sure how it has |
35 |
> evolved over the last few months. |
36 |
> |
37 |
Thanks. |
38 |
|
39 |
-- |
40 |
Jorge Almeida |
41 |
-- |
42 |
gentoo-user@g.o mailing list |