Gentoo Archives: gentoo-user

From: Jorge Almeida <jalmeida@××××××××××××.pt>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] ssh-agent
Date: Tue, 21 Nov 2006 09:40:21
Message-Id: Pine.LNX.4.64.0611210918520.8638@jmaa.math.ist.utl.pt
In Reply to: Re: [gentoo-user] ssh-agent by "Boyd Stephen Smith Jr."
1 On Mon, 20 Nov 2006, Boyd Stephen Smith Jr. wrote:
2
3 >>
4 >> I understand (but could well be wrong) that the ssh-agent creates a new
5 >> directory in /tmp/ with restrictive permissions (0700) and then creates
6 >> a unix socket in it, with rather restrictive permissions (0600). Anyone
7 >> who can connect to this socket (a hacker?!) could access your decrypted
8 >> keys. Also, root can access the socket and therefore your keys.
9 >
10 > Technically this is incorrect, anyone that can read and write to this
11 > socket can authenticate using the keys, but they can't read the key
12 > material directly. They can also engage in a known-plaintext or
13
14 OK, that's what I thought. But a troian running with the normal user
15 permissions could get the keys by reading the temporary directory (not
16 by connecting to the socket). Is this right? Or are the keys protected
17 in some other way? For example, keys might be kept encrypted and then
18 decrypted on demand using the passphrase provided when the key was
19 added, assuming the passphrase was kept on protected memory.
20
21 > known-cyphertext attack to attempt to determine the keys, which makes
22 > whole classes of attacks more viable, but as far as I know there's still
23 > little danger (unless maybe you are running the agent on one of the Top
24 > 500 :). Of course, since ssh keys aren't used for anything but
25 What are "the Top 500"???
26 > authentication, it may not be important that no key material escapes.
27 >
28 > Of course, with a malicious root user you are pretty much fscked anyway;
29 >
30 Root is not my problem.
31 >
32 Thanks,
33
34 Jorge Almeida
35 --
36 gentoo-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-user] ssh-agent Etaoin Shrdlu <shrdlu@×××××××××××××.org>
Re: [gentoo-user] ssh-agent Ralf Stephan <ralf@×××××××××××××.de>
Re: [gentoo-user] ssh-agent "Boyd Stephen Smith Jr." <bss03@××××××××××.net>