CVSROOT: /cvs
Module name: src
Changes by: d...@cvs.openbsd.org 2025/05/04 20:48:07
Modified files:
usr.bin/ssh/sshd-session: Makefile
usr.bin/ssh/sshd-auth: Makefile
usr.bin/ssh/ssh-agent: Makefile
usr.bin/ssh : ssh-agent.c ssh-agent.1 session.c pathnames.h
misc.h misc.c hostfile.c
Log message:
Move agent listener sockets from /tmp to under ~/.ssh/agent for both
ssh-agent(1) and forwarded sockets in sshd(8).
This ensures processes (such as Firefox) that have restricted
filesystem access that includes /tmp (via unveil(3)) do not have the
ability to use keys in an agent.
Moving the default directory has the consequence that the OS will no
longer clean up stale agent sockets, so ssh-agent now gains this
ability.
To support $HOME on NFS, the socket path includes a truncated hash of
the hostname. ssh-agent will by default only clean up sockets from
the same hostname.
ssh-agent gains some new flags: -U suppresses the automatic cleanup
of stale sockets when it starts. -u forces a cleanup without
keeping a running agent, -uu forces a cleanup that ignores the
hostname. -T makes ssh-agent put the socket back in /tmp.
feedback deraadt@ naddy@, doitdoitdoit deraadt@
