[CentOS] ssh-agent

Tue Apr 6 15:39:59 UTC 2010
Ron Loftin <reloftin at twcny.rr.com>

On Tue, 2010-04-06 at 10:51 -0400, m.roth at 5-cent.us wrote:
> Ron wrote:
> > On Tue, 2010-04-06 at 09:57 -0400, m.roth at 5-cent.us wrote:
> >> Yesterday or Friday, don't remember, I happened to be looking at my
> >> processes on my machine, and discovered I had a number of ssh-agents
> >> running (all mine), from different days. I killed all but the current
> >> day's.
> >>
> >> Now, I log out every single night.
> >>
> >> I checked the next day, and sure enough, the one I started the previous
> >> day was still running, and I could not only use ssh-add, and it worked.
> >> I didn't think of it this morning until just now, but tomorrow I'll log
> >> back in, and see if I even need to use ssh-add.
> >>
> >> If this is the case, I am not happy. This is, to me, a security hole,
> >> and *not* what I expected, nor what the man page seems to lead me to
> >> believe.
> >>
> >> Bug?
> >
> > I think that you may want some additional documentation on the use of
> > ssh and ssh-agent.  Try this link ( read all three parts of the
> > article ) and re-evaluate your conclusions.
> >
> > http://www-106.ibm.com/developerworks/library/l-keyc.html
> >
> > I have been using the keychain utility referenced in this series for
> > several years now, and I'm pretty happy with it.  As always, YMMV.
> 
> Let's try again, since, having skimmed your link, it seems to me that you
> don't understand my problem.
> 
> What I was doing: log onto my machine (system run level 5, I log out, NOT
> just lock the screen, every single night; therefore, there should be no
> processes running owned by me), and in a terminal window, do
>    ssh-agent
>    ssh-add .ssh/private key
> and enter my passphrase. Then I'd go through the day merrily on my way.
> 
> Now, I find that when I log out, ssh-agent IS NOT STOPPED, even though I
> am logged all the way out. When I log out, unless I background something,
> everything running as me should go away. Everything.
> 
> What I will try tomorrow, or maybe, if I get real enthused, later today,
> is to see if, after logging all the way out, then logging back in, whether
> ssh-agent has retained the ssh key that I added in the last session. If
> so, I *will* call this an important security hole, since in the unlikely
> event that someone manages to crack into my account (I lock the screen,
> per division rules, when I walk out of the office, so they can't just sit
> down at my desk), they could get to every other machine without so much as
> a by-your-leave, with no passwords.
> 
> Now is this clearer?

Yeah, I get it.

What you're missing, and as others have pointed out, AND as discussed in
the link I sent you, is that ssh-agent is DESIGNED to be persistent by
default.  You are correct in your assertion that if someone gained
access to your machine while ssh-agent is active, they would have the
same access to remote systems as you do when you're sitting at the
console.  That's life on the Internet today.

Now, how well this meets your particular requirements is for you to
decide.  You are not REQUIRED to use ssh-agent, and there is
considerable flexibility in how it can be configured and used.  The ins
and outs of those config options have to be evaluated in the context of
your particular security environment.

My conclusion regarding ssh-agent and the behavior that you find
disturbing gets the old programmer's lament:  "It's NOT a bug, it's a
feature!" and for a change, this statement is correct.

I encourage you to take the time to (re)read the link I sent you, slowly
and carefully.  That's what I had to do when I first found it, and when
returning to it later on for enhancement of my ssh usage.  I believe
that it is DEFINITELY worth the effort.


> 
>           mark

-- 
Ron Loftin                      reloftin at twcny.rr.com

"God, root, what is difference ?"       Piter from UserFriendly