Your message dated Thu, 23 Nov 2017 11:10:38 +0000 with message-id <[email protected]> and subject line Re: Bug#882475: weird access permission to ssh-agent's socket has caused the Debian Bug report #882475, regarding weird access permission to ssh-agent's socket to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 882475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882475 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openssh-server Version: 1:7.4p1-10+deb9u1 If I run "ssh somehost", then a new ssh-agent is started with weird access permissions on its socket. Sample session: % ls -al $SSH_AUTH_SOCK srw------- 1 hdunkel users 0 Nov 23 11:25 /tmp/ssh-D65j4nl0gu7k/agent.3243 % ssh localhost Linux dpcl082.ac.aixigo.de 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64 % ls -al $SSH_AUTH_SOCK srwxr-xr-x 1 hdunkel users 0 Nov 23 11:42 /tmp/ssh-svX5x2DI9l/agent.6837 The first ssh-agent was created by lightdm at login time, AFAICT. In my understanding the access permissions on the socket for the second ssh-agent are way too permissive by default. Can you confirm? .ssh/config: Host * AddKeysToAgent yes ForwardAgent yes Regards Harri
--- End Message ---
--- Begin Message ---On Thu, Nov 23, 2017 at 11:47:27AM +0100, Harald Dunkel wrote: > If I run "ssh somehost", then a new ssh-agent is started with weird > access permissions on its socket. Sample session: > > % ls -al $SSH_AUTH_SOCK > srw------- 1 hdunkel users 0 Nov 23 11:25 /tmp/ssh-D65j4nl0gu7k/agent.3243 > % ssh localhost > Linux dpcl082.ac.aixigo.de 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) > x86_64 > > % ls -al $SSH_AUTH_SOCK > srwxr-xr-x 1 hdunkel users 0 Nov 23 11:42 /tmp/ssh-svX5x2DI9l/agent.6837 > > > The first ssh-agent was created by lightdm at login time, AFAICT. In my > understanding the access permissions on the socket for the second ssh-agent > are way too permissive by default. The containing directory is mode 700 (drwx------), so it doesn't matter whether the socket itself has wider permissions. Furthermore, ssh-agent checks the identity of processes connecting to that socket using getpeereid() to be on the safe side. It's this way for portability, since BSD systems handle socket permissions differently. See this recent thread on openssh-unix-dev: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-November/036418.html -- Colin Watson [[email protected]]
--- End Message ---
