On Mon, Sep 10, 2007 at 01:09:18PM -0700, Sharon Veach wrote:
> FYI:
> There is a potential security issue if you use both the CDE and JDS
> desktops, and use the ssh-agent.
> This is sort of the opposite of the agent disappearing:
>
> Caution:
> If you use the Sun Java Desktop System (JDS), do not set up the
> ssh-agent command to run
> automatically. Because the killing of the ssh-agent process is controlled
> by a CDE interface, when you exit the JDS, the daemon continues to run.
JDS start ssh-agent with a command as an argument:
712 /usr/dt/bin/dtlogin -daemon -udpPort 0
22119 /usr/dt/bin/dtlogin -daemon -udpPort 0
22213 /bin/ksh /usr/dt/bin/Xsession
22312 /usr/dt/bin/sdt_shell -c unset DT; DISPLAY=:0; /u
22313 -ksh -c unset DT; DISPLAY=:0; /usr/dt/bin/dtses
22367 /bin/ksh /usr/dt/config/Xsession2.jds
22369 /usr/bin/gnome-session
22377 /usr/bin/ssh-agent -- /usr/bin/dbus-launch --exit-with-sess
When ssh-agent is started in this way it will check every 10 seconds to
see if its parent has died, and if it has then it exits.
> For example, if you start the daemon in a CDE session, move to a JDS
> session,
> and then log out, the daemon continues to run.
How do you move to a JDS session from a CDE session?
> A running daemon uses system resources. Although no known issues are
> associated with leaving
> the ssh-agent daemon running, the daemon contains a password, which
> could create a security risk.
Well, not a password, but your private keys, if you added any with
ssh-add(1). Still, it'd be bad to leave an ssh-agent process lying
around that has your private keys in memory.
> You can, of course, manually kill the ssh-agent process. But that
> implies that you are logged in.
Sure, but are you sure that this can happen?
Nico
--
