| 1 |
On Monday 20 November 2006 17:20, Jorge Almeida wrote: |
| 2 |
> I've been reading the ssh-agent documentation (and googling) and it |
| 3 |
> seems clear, except for two issues for which I couldn't find any docs: |
| 4 |
> |
| 5 |
> What (where) is the ssh-agent cache? Some directory where the decrypted |
| 6 |
> keys are kept? (I mean, if I keep ssh-agent running all day, is it more |
| 7 |
> secure than just having my private keys unencrypted?) |
| 8 |
|
| 9 |
I understand (but could well be wrong) that the ssh-agent creates a new |
| 10 |
directory in /tmp/ with restrictive permissions (0700) and then creates a |
| 11 |
unix socket in it, with rather restrictive permissions (0600). Anyone who can |
| 12 |
connect to this socket (a hacker?!) could access your decrypted keys. Also, |
| 13 |
root can access the socket and therefore your keys. |
| 14 |
|
| 15 |
> When adding keys with ssh-add, does it use protected memory to get the |
| 16 |
> passphrases? |
| 17 |
|
| 18 |
I believe the above answer covers this too. If you run the ssh-add with |
| 19 |
the -c option the agent will run the ssh-askpass when anyone tries to |
| 20 |
retrieve the passwords. |
| 21 |
|
| 22 |
This is how it used to be last time I looked at it, not sure how it has |
| 23 |
evolved over the last few months. |
| 24 |
-- |
| 25 |
Regards, |
| 26 |
Mick |
Archives