1 |
On Tuesday 21 November 2006 03:32, Jorge Almeida <jalmeida@××××××××××××.pt> |
2 |
wrote about 'Re: [gentoo-user] ssh-agent': |
3 |
> On Mon, 20 Nov 2006, Boyd Stephen Smith Jr. wrote: |
4 |
> >> I understand (but could well be wrong) that the ssh-agent creates a |
5 |
> >> new directory in /tmp/ with restrictive permissions (0700) and then |
6 |
> >> creates a unix socket in it, with rather restrictive permissions |
7 |
> >> (0600). Anyone who can connect to this socket (a hacker?!) could |
8 |
> >> access your decrypted keys. Also, root can access the socket and |
9 |
> >> therefore your keys. |
10 |
> > |
11 |
> > Technically this is incorrect, anyone that can read and write to this |
12 |
> > socket can authenticate using the keys, but they can't read the key |
13 |
> > material directly. They can also engage in a known-plaintext or |
14 |
> |
15 |
> OK, that's what I thought. But a troian running with the normal user |
16 |
> permissions could get the keys by reading the temporary directory (not |
17 |
> by connecting to the socket). Is this right? |
18 |
|
19 |
No. There's no files in the temporary directory besides the socket. |
20 |
|
21 |
> Or are the keys protected |
22 |
> in some other way? |
23 |
|
24 |
They are only stored in locked memory; they are never on disk unencrypted. |
25 |
Anyone that can read locked memory can access them, but this is very few |
26 |
users/processes on Linux -- and besides those same users will be able to |
27 |
read the key as you authenticate even if you don't use ssh-agent, as long |
28 |
as they time things right. |
29 |
|
30 |
-- |
31 |
"If there's one thing we've established over the years, |
32 |
it's that the vast majority of our users don't have the slightest |
33 |
clue what's best for them in terms of package stability." |
34 |
-- Gentoo Developer Ciaran McCreesh |