| 1 |
On Monday 20 November 2006 16:47, Mick <michaelkintzios@×××××.com> wrote |
| 2 |
about 'Re: [gentoo-user] ssh-agent': |
| 3 |
> On Monday 20 November 2006 17:20, Jorge Almeida wrote: |
| 4 |
> > I've been reading the ssh-agent documentation (and googling) and it |
| 5 |
> > seems clear, except for two issues for which I couldn't find any docs: |
| 6 |
> > |
| 7 |
> > What (where) is the ssh-agent cache? Some directory where the |
| 8 |
> > decrypted keys are kept? (I mean, if I keep ssh-agent running all day, |
| 9 |
> > is it more secure than just having my private keys unencrypted?) |
| 10 |
> |
| 11 |
> I understand (but could well be wrong) that the ssh-agent creates a new |
| 12 |
> directory in /tmp/ with restrictive permissions (0700) and then creates |
| 13 |
> a unix socket in it, with rather restrictive permissions (0600). Anyone |
| 14 |
> who can connect to this socket (a hacker?!) could access your decrypted |
| 15 |
> keys. Also, root can access the socket and therefore your keys. |
| 16 |
|
| 17 |
Technically this is incorrect, anyone that can read and write to this |
| 18 |
socket can authenticate using the keys, but they can't read the key |
| 19 |
material directly. They can also engage in a known-plaintext or |
| 20 |
known-cyphertext attack to attempt to determine the keys, which makes |
| 21 |
whole classes of attacks more viable, but as far as I know there's still |
| 22 |
little danger (unless maybe you are running the agent on one of the Top |
| 23 |
500 :). Of course, since ssh keys aren't used for anything but |
| 24 |
authentication, it may not be important that no key material escapes. |
| 25 |
|
| 26 |
Of course, with a malicious root user you are pretty much fscked anyway; |
| 27 |
they can run a kernel that tells ssh that memory is locked, but then log |
| 28 |
all changes to that memory (revealing your key as it is generated) or log |
| 29 |
all input to your tty (revealing your passphrase and letting them read the |
| 30 |
key directly). |
| 31 |
|
| 32 |
Attacks against your user from root are not someting to worry about. You |
| 33 |
can't to anything to prevent them. They are something to be aware of; |
| 34 |
e.g. it's ill-advised to use agent forwarding unless both local and remote |
| 35 |
root are equivalently trusted. |
| 36 |
|
| 37 |
-- |
| 38 |
"If there's one thing we've established over the years, |
| 39 |
it's that the vast majority of our users don't have the slightest |
| 40 |
clue what's best for them in terms of package stability." |
| 41 |
-- Gentoo Developer Ciaran McCreesh |
Archives