On Mon, 2006-10-02 at 13:03 -0400, Derek Martin wrote: > On Sun, Oct 01, 2006 at 09:38:56AM -0500, Steven Elliott wrote: ... > > How is having the socket file on an NFS server a problem? I know that > > other applications do it, such as evolution / spamd: > > /home/sle/.evolution/cache/tmp/spamd-socket-path-bz4CuE > > On most platforms, this is a gigantic mistake, particularly if the > data is or could be sensitive (as is the case with authentication > credentials provided by ssh-agent). There are at least two problems > that I can think of off the top of my head: > > 1. In general, NFS does not encrypt the data that goes over the wire.
You are making the mistaken assumption that a UNIX-domain socket can magically, simply by virtue of the i-node that describes it being stored on an NFS (or other) server, become a network socket. This is not correct. Even if the i-node that describes the socket is resident on a remote file server rather than on a host's local disk, the socket itself remains intra-host; only pairs of processes running on the same host can communicate with each other. Naturally, in the ~/.ssh/agent-where-~-is-mounted-by-many-hosts case, you can have as many agents running as you like (not that this is good practice), but in each case, only clients running on the same host as the agent (or clients talking to an sshd running on the same host as the agent) will be able to talk to each agent. - Raz
