1 |
On Monday 20 November 2006 17:20, Jorge Almeida wrote: |
2 |
> I've been reading the ssh-agent documentation (and googling) and it |
3 |
> seems clear, except for two issues for which I couldn't find any docs: |
4 |
> |
5 |
> What (where) is the ssh-agent cache? Some directory where the decrypted |
6 |
> keys are kept? (I mean, if I keep ssh-agent running all day, is it more |
7 |
> secure than just having my private keys unencrypted?) |
8 |
|
9 |
I understand (but could well be wrong) that the ssh-agent creates a new |
10 |
directory in /tmp/ with restrictive permissions (0700) and then creates a |
11 |
unix socket in it, with rather restrictive permissions (0600). Anyone who can |
12 |
connect to this socket (a hacker?!) could access your decrypted keys. Also, |
13 |
root can access the socket and therefore your keys. |
14 |
|
15 |
> When adding keys with ssh-add, does it use protected memory to get the |
16 |
> passphrases? |
17 |
|
18 |
I believe the above answer covers this too. If you run the ssh-add with |
19 |
the -c option the agent will run the ssh-askpass when anyone tries to |
20 |
retrieve the passwords. |
21 |
|
22 |
This is how it used to be last time I looked at it, not sure how it has |
23 |
evolved over the last few months. |
24 |
-- |
25 |
Regards, |
26 |
Mick |