openssh-unix-dev May 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: Might a patch to ssh-agent to allow relaxi

Re: Might a patch to ssh-agent to allow relaxing of peer euid check be accepted?

From: Wout Mertens <wmertens_at_nospam>
Date: Thu May 19 2011 - 13:51:46 GMT
To: Matthew Miller <mattdm@mattdm.org>

On May 19, 2011, at 15:25 , Matthew Miller wrote:

> Peter Stuge wrote:
>>> Right now, ssh-agent makes a check using getpeereid(), and declines
>>> access if it fails. This is very sensible in general, but breaks this
>>> particular case. Might a patch to allow an option to ssh-agent to relax
>>> the check be accepted?
>> I doubt it. I would suggest that you implement an ssh-agent proxy to sit
>> in front of the actual agent, running as keyholder, where you implement
>> policy.
>
> That's an interesting idea. However, for this case, that introduces
> complication without particular benefit, as we're not wanting to implement
> any particular policy but rather have ssh-agent _refrain_ from enforcing a
> hard-coded one. Without the check, simple policy can be implemented at the
> filesystem level (or through various security modules).

Why not simply give each user their own private key and add/remove it from the authorized_keys at the appropriate times?

Wout.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev