1 |
On Tue, 21 Nov 2006, Boyd Stephen Smith Jr. wrote: |
2 |
|
3 |
>> |
4 |
>> OK, that's what I thought. But a troian running with the normal user |
5 |
>> permissions could get the keys by reading the temporary directory (not |
6 |
>> by connecting to the socket). Is this right? |
7 |
> |
8 |
> No. There's no files in the temporary directory besides the socket. |
9 |
> |
10 |
>> Or are the keys protected |
11 |
>> in some other way? |
12 |
> |
13 |
> They are only stored in locked memory; they are never on disk unencrypted. |
14 |
> Anyone that can read locked memory can access them, but this is very few |
15 |
> users/processes on Linux -- and besides those same users will be able to |
16 |
> read the key as you authenticate even if you don't use ssh-agent, as long |
17 |
> as they time things right. |
18 |
> |
19 |
OK, this sounds better! I posted to the gnupg-users, asking a similar |
20 |
question about gpg-agent. I guess gpg-agent works the same way. |
21 |
|
22 |
I think these details about the workings of ssh-agent deserve more |
23 |
visibility. Did you find some unusual documentation or read the source? |
24 |
The latter is not in my skills, unfortunately. |
25 |
|
26 |
Thanks. |
27 |
-- |
28 |
Jorge Almeida |
29 |
-- |
30 |
gentoo-user@g.o mailing list |