Using ssh-agent option: -a

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I'd like some advice:

First, a bit of context: I am trying to work out some guidelines for
my workgroup's use of ssh.  We all use VNC to log in to a large Unix
server that acts as our workstation.

My question regards ssh-agent: I have always regarded the whole
business of capturing and passing around the two envars
SSH_AUTH_SOCK and SSH_AGENT_PID as rather awkward and fussy.
So I was pleased when I learned (in the fabulous SnailBook, of
course) about the OpenSSH option to ssh-agent: -a <socket> .
I am considering recommending to my group that we use this to
specify a fixed socket name within ~/.ssh/ .

Seems to me this would greatly simplify the envar handling:

 - Just specify in ~/.profile:
      export SSH_AUTH_SOCK=$HOME/.ssh/agent-socket

 - Just forget about SSH_AGENT_PID :
     - AFAIK it is used only when you want to kill ssh-agent .
     - In our environment that doesn't happen very often,
      since our Xvnc sessions last for months.
     - It's pretty easy to find the PID with ps(1) and just use kill;
          or it's easy to write a script to do this.

My question is if there is a significant security risk in making
it so easy for others on the system to find the socket.
Even if you didn't know the convention, the -a arg shows up in the
ps(1)  display.  Presumably the ~/.ssh directory is pretty well
locked up.

The default is to try to hide the socket in a subdir of /tmp, and to
obscure it with a random name.  But the security of this depends on
the same permissions mechanism that protects ~/.ssh .
Or is there significant benefit from this default hiding the socket
from those NOT logged in to the system.

Also, would this scheme have any bearing on the advisability of
allowing agent-forwarding?

(BTW, another of my recommendations will be to use the -t option of
ssh-agent to require re-entering the passphrase every hour or two,
in case you are concerned about long-lasting ssh-agent processes.)


Site Timeline