| 1 |
On Mon, 20 Nov 2006, Mick wrote: |
| 2 |
|
| 3 |
> On Monday 20 November 2006 17:20, Jorge Almeida wrote: |
| 4 |
>> I've been reading the ssh-agent documentation (and googling) and it |
| 5 |
>> seems clear, except for two issues for which I couldn't find any docs: |
| 6 |
>> |
| 7 |
>> What (where) is the ssh-agent cache? Some directory where the decrypted |
| 8 |
>> keys are kept? (I mean, if I keep ssh-agent running all day, is it more |
| 9 |
>> secure than just having my private keys unencrypted?) |
| 10 |
> |
| 11 |
> I understand (but could well be wrong) that the ssh-agent creates a new |
| 12 |
> directory in /tmp/ with restrictive permissions (0700) and then creates a |
| 13 |
> unix socket in it, with rather restrictive permissions (0600). Anyone who can |
| 14 |
> connect to this socket (a hacker?!) could access your decrypted keys. Also, |
| 15 |
> root can access the socket and therefore your keys. |
| 16 |
> |
| 17 |
Well, assuming that you're right, the whole concept is rather |
| 18 |
disappointing. After all, the private keys have the same restrictive |
| 19 |
permissions, and if the keys are kept in the clear when the agent is |
| 20 |
active, then a hacker might fetch the keys from the temporary dir as |
| 21 |
well as from ~/.ssh (I'm not really taking into account the extra |
| 22 |
security-by-obscurity provided by the variable path to the socket.) |
| 23 |
|
| 24 |
Maybe I didn't understand the whole thing. |
| 25 |
>> When adding keys with ssh-add, does it use protected memory to get the |
| 26 |
>> passphrases? |
| 27 |
> |
| 28 |
> I believe the above answer covers this too. If you run the ssh-add with |
| 29 |
> the -c option the agent will run the ssh-askpass when anyone tries to |
| 30 |
> retrieve the passwords. |
| 31 |
> |
| 32 |
What I meant is whether the passphrase to unencrypt a key (in order to |
| 33 |
put ot in the cache) is really safe. |
| 34 |
> This is how it used to be last time I looked at it, not sure how it has |
| 35 |
> evolved over the last few months. |
| 36 |
> |
| 37 |
Thanks. |
| 38 |
|
| 39 |
-- |
| 40 |
Jorge Almeida |
| 41 |
-- |
| 42 |
gentoo-user@g.o mailing list |
Archives