1 |
On Monday 20 November 2006 16:47, Mick <michaelkintzios@×××××.com> wrote |
2 |
about 'Re: [gentoo-user] ssh-agent': |
3 |
> On Monday 20 November 2006 17:20, Jorge Almeida wrote: |
4 |
> > I've been reading the ssh-agent documentation (and googling) and it |
5 |
> > seems clear, except for two issues for which I couldn't find any docs: |
6 |
> > |
7 |
> > What (where) is the ssh-agent cache? Some directory where the |
8 |
> > decrypted keys are kept? (I mean, if I keep ssh-agent running all day, |
9 |
> > is it more secure than just having my private keys unencrypted?) |
10 |
> |
11 |
> I understand (but could well be wrong) that the ssh-agent creates a new |
12 |
> directory in /tmp/ with restrictive permissions (0700) and then creates |
13 |
> a unix socket in it, with rather restrictive permissions (0600). Anyone |
14 |
> who can connect to this socket (a hacker?!) could access your decrypted |
15 |
> keys. Also, root can access the socket and therefore your keys. |
16 |
|
17 |
Technically this is incorrect, anyone that can read and write to this |
18 |
socket can authenticate using the keys, but they can't read the key |
19 |
material directly. They can also engage in a known-plaintext or |
20 |
known-cyphertext attack to attempt to determine the keys, which makes |
21 |
whole classes of attacks more viable, but as far as I know there's still |
22 |
little danger (unless maybe you are running the agent on one of the Top |
23 |
500 :). Of course, since ssh keys aren't used for anything but |
24 |
authentication, it may not be important that no key material escapes. |
25 |
|
26 |
Of course, with a malicious root user you are pretty much fscked anyway; |
27 |
they can run a kernel that tells ssh that memory is locked, but then log |
28 |
all changes to that memory (revealing your key as it is generated) or log |
29 |
all input to your tty (revealing your passphrase and letting them read the |
30 |
key directly). |
31 |
|
32 |
Attacks against your user from root are not someting to worry about. You |
33 |
can't to anything to prevent them. They are something to be aware of; |
34 |
e.g. it's ill-advised to use agent forwarding unless both local and remote |
35 |
root are equivalently trusted. |
36 |
|
37 |
-- |
38 |
"If there's one thing we've established over the years, |
39 |
it's that the vast majority of our users don't have the slightest |
40 |
clue what's best for them in terms of package stability." |
41 |
-- Gentoo Developer Ciaran McCreesh |