[gentoo-user] ssh-agent

[gentoo-user] ssh-agent

[Jorge Almeida]

I've been reading the ssh-agent documentation (and googling) and it
seems clear, except for two issues for which I couldn't find any docs:

What (where) is the ssh-agent cache? Some directory where the decrypted
keys are kept? (I mean, if I keep ssh-agent running all day, is it more
secure than just having my private keys unencrypted?)

When adding keys with ssh-add, does it use protected memory to get the
passphrases?

-- 
Jorge Almeida
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ssh-agent

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 784 bytes --]

On Monday 20 November 2006 11:20, Jorge Almeida <jalmeida@math.ist.utl.pt> 
wrote about '[gentoo-user] ssh-agent':
> I've been reading the ssh-agent documentation (and googling) and it
> seems clear, except for two issues for which I couldn't find any docs:

While I hope someone on this list can answer you, the information you 
desire is very ssh-agent specific and very not Gentoo-specific.  Because 
of that you'll probably be more likely to get results on a mailing list 
specifically for that program (or, if you are using openssh; OpenBSD).

-- 
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] ssh-agent

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1173 bytes --]

On Monday 20 November 2006 17:20, Jorge Almeida wrote:
> I've been reading the ssh-agent documentation (and googling) and it
> seems clear, except for two issues for which I couldn't find any docs:
>
> What (where) is the ssh-agent cache? Some directory where the decrypted
> keys are kept? (I mean, if I keep ssh-agent running all day, is it more
> secure than just having my private keys unencrypted?)

I understand (but could well be wrong) that the ssh-agent creates a new 
directory in /tmp/ with restrictive permissions (0700) and then creates a 
unix socket in it, with rather restrictive permissions (0600). Anyone who can 
connect to this socket (a hacker?!) could access your decrypted keys.  Also, 
root can access the socket and therefore your keys.

> When adding keys with ssh-add, does it use protected memory to get the
> passphrases?

I believe the above answer covers this too.  If you run the ssh-add with 
the -c option the agent will run the ssh-askpass when anyone tries to 
retrieve the passwords.

This is how it used to be last time I looked at it, not sure how it has 
evolved over the last few months.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] ssh-agent

[Jorge Almeida]

On Mon, 20 Nov 2006, Mick wrote:

> On Monday 20 November 2006 17:20, Jorge Almeida wrote:
>> I've been reading the ssh-agent documentation (and googling) and it
>> seems clear, except for two issues for which I couldn't find any docs:
>>
>> What (where) is the ssh-agent cache? Some directory where the decrypted
>> keys are kept? (I mean, if I keep ssh-agent running all day, is it more
>> secure than just having my private keys unencrypted?)
>
> I understand (but could well be wrong) that the ssh-agent creates a new
> directory in /tmp/ with restrictive permissions (0700) and then creates a
> unix socket in it, with rather restrictive permissions (0600). Anyone who can
> connect to this socket (a hacker?!) could access your decrypted keys.  Also,
> root can access the socket and therefore your keys.
>
Well, assuming that you're right, the whole concept is rather
disappointing. After all, the private keys have the same restrictive
permissions, and if the keys are kept in the clear when the agent is
active, then a hacker might fetch the keys from the temporary dir as
well as from ~/.ssh (I'm not really taking into account the extra
security-by-obscurity provided by the variable path to the socket.)

Maybe I didn't understand the whole thing.
>> When adding keys with ssh-add, does it use protected memory to get the
>> passphrases?
>
> I believe the above answer covers this too.  If you run the ssh-add with
> the -c option the agent will run the ssh-askpass when anyone tries to
> retrieve the passwords.
>
What I meant is whether the passphrase to unencrypt a key (in order to
put ot in the cache) is really safe. 
> This is how it used to be last time I looked at it, not sure how it has
> evolved over the last few months.
>
Thanks.

-- 
Jorge Almeida
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ssh-agent

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 2286 bytes --]

On Monday 20 November 2006 16:47, Mick <michaelkintzios@gmail.com> wrote 
about 'Re: [gentoo-user] ssh-agent':
> On Monday 20 November 2006 17:20, Jorge Almeida wrote:
> > I've been reading the ssh-agent documentation (and googling) and it
> > seems clear, except for two issues for which I couldn't find any docs:
> >
> > What (where) is the ssh-agent cache? Some directory where the
> > decrypted keys are kept? (I mean, if I keep ssh-agent running all day,
> > is it more secure than just having my private keys unencrypted?)
>
> I understand (but could well be wrong) that the ssh-agent creates a new
> directory in /tmp/ with restrictive permissions (0700) and then creates
> a unix socket in it, with rather restrictive permissions (0600). Anyone
> who can connect to this socket (a hacker?!) could access your decrypted
> keys.  Also, root can access the socket and therefore your keys.

Technically this is incorrect, anyone that can read and write to this 
socket can authenticate using the keys, but they can't read the key 
material directly.  They can also engage in a known-plaintext or 
known-cyphertext attack to attempt to determine the keys, which makes 
whole classes of attacks more viable, but as far as I know there's still 
little danger (unless maybe you are running the agent on one of the Top 
500 :).  Of course, since ssh keys aren't used for anything but 
authentication, it may not be important that no key material escapes.

Of course, with a malicious root user you are pretty much fscked anyway; 
they can run a kernel that tells ssh that memory is locked, but then log 
all changes to that memory (revealing your key as it is generated) or log 
all input to your tty (revealing your passphrase and letting them read the 
key directly).

Attacks against your user from root are not someting to worry about.  You 
can't to anything to prevent them.  They are something to be aware of; 
e.g. it's ill-advised to use agent forwarding unless both local and remote 
root are equivalently trusted.

-- 
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] ssh-agent

[Jorge Almeida]

On Mon, 20 Nov 2006, Boyd Stephen Smith Jr. wrote:

>>
>> I understand (but could well be wrong) that the ssh-agent creates a new
>> directory in /tmp/ with restrictive permissions (0700) and then creates
>> a unix socket in it, with rather restrictive permissions (0600). Anyone
>> who can connect to this socket (a hacker?!) could access your decrypted
>> keys.  Also, root can access the socket and therefore your keys.
>
> Technically this is incorrect, anyone that can read and write to this
> socket can authenticate using the keys, but they can't read the key
> material directly.  They can also engage in a known-plaintext or

OK, that's what I thought. But a troian running with the normal user
permissions could get the keys by reading the temporary directory (not
by connecting to the socket). Is this right? Or are the keys protected
in some other way? For example, keys might be kept encrypted and then
decrypted on demand using the passphrase provided when the key was
added, assuming the passphrase was kept on protected memory.

> known-cyphertext attack to attempt to determine the keys, which makes
> whole classes of attacks more viable, but as far as I know there's still
> little danger (unless maybe you are running the agent on one of the Top
> 500 :).  Of course, since ssh keys aren't used for anything but
What are "the Top 500"???
> authentication, it may not be important that no key material escapes.
>
> Of course, with a malicious root user you are pretty much fscked anyway;
>
Root is not my problem.
>
Thanks,

Jorge Almeida
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ssh-agent

[Etaoin Shrdlu]

On Tuesday 21 November 2006 10:32, Jorge Almeida wrote:

> What are "the Top 500"???

http://www.top500.org
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ssh-agent

[Ralf Stephan]

Jorge Aleida wrote 
> >Technically this is incorrect, anyone that can read and write to this
> >socket can authenticate using the keys, but they can't read the key
> >material directly.  They can also engage in a known-plaintext or
> 
> OK, that's what I thought. But a troian running with the normal user
> permissions could get the keys by reading the temporary directory (not
> by connecting to the socket). Is this right? Or are the keys protected
> in some other way? For example, keys might be kept encrypted and then
> decrypted on demand using the passphrase provided when the key was
> added, assuming the passphrase was kept on protected memory.

That's why some people build public keys as root on a desktop but try 
to do everything else like browsing or reading mail as user.


ralf

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ssh-agent

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 1672 bytes --]

On Tuesday 21 November 2006 03:32, Jorge Almeida <jalmeida@math.ist.utl.pt> 
wrote about 'Re: [gentoo-user] ssh-agent':
> On Mon, 20 Nov 2006, Boyd Stephen Smith Jr. wrote:
> >> I understand (but could well be wrong) that the ssh-agent creates a
> >> new directory in /tmp/ with restrictive permissions (0700) and then
> >> creates a unix socket in it, with rather restrictive permissions
> >> (0600). Anyone who can connect to this socket (a hacker?!) could
> >> access your decrypted keys.  Also, root can access the socket and
> >> therefore your keys.
> >
> > Technically this is incorrect, anyone that can read and write to this
> > socket can authenticate using the keys, but they can't read the key
> > material directly.  They can also engage in a known-plaintext or
>
> OK, that's what I thought. But a troian running with the normal user
> permissions could get the keys by reading the temporary directory (not
> by connecting to the socket). Is this right?

No.  There's no files in the temporary directory besides the socket.

> Or are the keys protected 
> in some other way?

They are only stored in locked memory; they are never on disk unencrypted.  
Anyone that can read locked memory can access them, but this is very few 
users/processes on Linux -- and besides those same users will be able to 
read the key as you authenticate even if you don't use ssh-agent, as long 
as they time things right.

-- 
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] ssh-agent

[Jorge Almeida]

On Tue, 21 Nov 2006, Boyd Stephen Smith Jr. wrote:

>>
>> OK, that's what I thought. But a troian running with the normal user
>> permissions could get the keys by reading the temporary directory (not
>> by connecting to the socket). Is this right?
>
> No.  There's no files in the temporary directory besides the socket.
>
>> Or are the keys protected
>> in some other way?
>
> They are only stored in locked memory; they are never on disk unencrypted.
> Anyone that can read locked memory can access them, but this is very few
> users/processes on Linux -- and besides those same users will be able to
> read the key as you authenticate even if you don't use ssh-agent, as long
> as they time things right.
>
OK, this sounds better! I posted to the gnupg-users, asking a similar
question about gpg-agent. I guess gpg-agent works the same way.

I think these details about the workings of ssh-agent deserve more
visibility. Did you find some unusual documentation or read the source?
The latter is not in my skills, unfortunately.

Thanks.
-- 
Jorge Almeida
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ssh-agent

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 772 bytes --]

On Tuesday 21 November 2006 12:41, Jorge Almeida <jalmeida@math.ist.utl.pt> 
wrote about 'Re: [gentoo-user] ssh-agent':
> I think these details about the workings of ssh-agent deserve more
> visibility. Did you find some unusual documentation or read the source?

I've never read the source, so it's a combination of documentation and 
deduction.  Documentation was probably from discussions of locked memory 
issues and other security threats to ssh-agent over the span of time I've 
been ssh-aware, so no specific URL I can hand you.

-- 
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] ssh-agent

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1702 bytes --]

On Tuesday 21 November 2006 18:41, Jorge Almeida wrote:
> On Tue, 21 Nov 2006, Boyd Stephen Smith Jr. wrote:
> >> OK, that's what I thought. But a troian running with the normal user
> >> permissions could get the keys by reading the temporary directory (not
> >> by connecting to the socket). Is this right?
> >
> > No.  There's no files in the temporary directory besides the socket.
> >
> >> Or are the keys protected
> >> in some other way?
> >
> > They are only stored in locked memory; they are never on disk
> > unencrypted. Anyone that can read locked memory can access them, but this
> > is very few users/processes on Linux -- and besides those same users will
> > be able to read the key as you authenticate even if you don't use
> > ssh-agent, as long as they time things right.
>
> OK, this sounds better! I posted to the gnupg-users, asking a similar
> question about gpg-agent. I guess gpg-agent works the same way.

Please post back your findings!

What happens to the /tmp/ directory & socket file after the user logs out?  
Does it get deleted by the ssh-agent shutdown script?

I am asking this because I seem to continuously accumulate a load of gpg-agent 
directories and socket files into my /tmp.  Unless of course gpg-agent works 
on a different principle all together.  My start up & shutdown scripts are 
in /etc/X11/Sessions/fluxbox.  Are they correct for this task?
================================================
eval "$(gpg-agent --daemon)"
/usr/bin/startfluxbox
kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2`
================================================

Or should I have another line to 'rm -Rf /tmp/gpg-*'
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] ssh-agent

[Jorge Almeida]

On Tue, 21 Nov 2006, Mick wrote:
>>> They are only stored in locked memory; they are never on disk
>>> unencrypted. Anyone that can read locked memory can access them, but this
>>> is very few users/processes on Linux -- and besides those same users will
>>> be able to read the key as you authenticate even if you don't use
>>> ssh-agent, as long as they time things right.
>>
>> OK, this sounds better! I posted to the gnupg-users, asking a similar
>> question about gpg-agent. I guess gpg-agent works the same way.
>
> Please post back your findings!
>
Well, no responses yet in the gnupg-users list, so there are no findings
to post!  (Let's wait at least a few hours :))

> What happens to the /tmp/ directory & socket file after the user logs out?
> Does it get deleted by the ssh-agent shutdown script?
>
I didn't start using ssh-agent yet, but I tested it from the command
line and the directory was removed when I killed the ssh-agent process.
> I am asking this because I seem to continuously accumulate a load of gpg-agent
> directories and socket files into my /tmp.  Unless of course gpg-agent works
I suppose that has to do with the agent(s) working as daemons? I don't
like that kind of setup. This is what I intend to (try to) do:

- One fixed socket, in some dedicated directory (no /tmp, no random name
   for the socket)
- The socket name as a fixed env variable, set in the shell config files
- Hence, no need to eval, etc
- No daemon (i.e. no backgrounding). Just a service supervised by
   daemontools. Logs go to a directory of my choosing and if the agent
   dies, it is ressurrected, and the socket (with the same name) is
   recreated (of course, keys must be added, then)
- A perl script to interact with the service, just in case.

I think this is not difficult to do, unless I grossly misunderstood
something essential. (Comments, anyone?) I just don't see the need to
run the agent as subordinate of an X session or whatever (please someone
correct me if I'm wrong!) And if I don't want the service running when
I'm not logged in, I could bring it down with the perl script (in
~/.bash_logout, maybe?)
For gpg-agent, I'm not so sure, but I hope it can be done too.

> on a different principle all together.  My start up & shutdown scripts are
> in /etc/X11/Sessions/fluxbox.  Are they correct for this task?
> ================================================
> eval "$(gpg-agent --daemon)"
> /usr/bin/startfluxbox
> kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2`
> ================================================
>
> Or should I have another line to 'rm -Rf /tmp/gpg-*'
>

-- 
Jorge Almeida
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ssh-agent

[Justin Patrin]

On 11/21/06, Jorge Almeida <jalmeida@math.ist.utl.pt> wrote:
> On Tue, 21 Nov 2006, Mick wrote:
> >>> They are only stored in locked memory; they are never on disk
> >>> unencrypted. Anyone that can read locked memory can access them, but this
> >>> is very few users/processes on Linux -- and besides those same users will
> >>> be able to read the key as you authenticate even if you don't use
> >>> ssh-agent, as long as they time things right.
> >>
> >> OK, this sounds better! I posted to the gnupg-users, asking a similar
> >> question about gpg-agent. I guess gpg-agent works the same way.
> >
> > Please post back your findings!
> >
> Well, no responses yet in the gnupg-users list, so there are no findings
> to post!  (Let's wait at least a few hours :))
>
> > What happens to the /tmp/ directory & socket file after the user logs out?
> > Does it get deleted by the ssh-agent shutdown script?
> >
> I didn't start using ssh-agent yet, but I tested it from the command
> line and the directory was removed when I killed the ssh-agent process.
> > I am asking this because I seem to continuously accumulate a load of gpg-agent
> > directories and socket files into my /tmp.  Unless of course gpg-agent works
> I suppose that has to do with the agent(s) working as daemons? I don't
> like that kind of setup. This is what I intend to (try to) do:
>
> - One fixed socket, in some dedicated directory (no /tmp, no random name
>    for the socket)
> - The socket name as a fixed env variable, set in the shell config files
> - Hence, no need to eval, etc
> - No daemon (i.e. no backgrounding). Just a service supervised by
>    daemontools. Logs go to a directory of my choosing and if the agent
>    dies, it is ressurrected, and the socket (with the same name) is
>    recreated (of course, keys must be added, then)
> - A perl script to interact with the service, just in case.
>
> I think this is not difficult to do, unless I grossly misunderstood
> something essential. (Comments, anyone?) I just don't see the need to
> run the agent as subordinate of an X session or whatever (please someone
> correct me if I'm wrong!) And if I don't want the service running when
> I'm not logged in, I could bring it down with the perl script (in
> ~/.bash_logout, maybe?)
> For gpg-agent, I'm not so sure, but I hope it can be done too.
>
> > on a different principle all together.  My start up & shutdown scripts are
> > in /etc/X11/Sessions/fluxbox.  Are they correct for this task?
> > ================================================
> > eval "$(gpg-agent --daemon)"
> > /usr/bin/startfluxbox
> > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2`
> > ================================================
> >
> > Or should I have another line to 'rm -Rf /tmp/gpg-*'
> >
>

ssh-agent /bin/sh

When you exit the shell, ssh-agent exits too (after cleaning up).
Running the agent as a daemon means you have to tell it when to shut
down as well (how would it know when to stop?).

-- 
Justin Patrin
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ssh-agent

[Mick]

[-- Attachment #1: Type: text/plain, Size: 3498 bytes --]

On Monday 12 February 2007 23:26, Justin Patrin wrote:
> On 11/21/06, Jorge Almeida <jalmeida@math.ist.utl.pt> wrote:
> > On Tue, 21 Nov 2006, Mick wrote:
> > >>> They are only stored in locked memory; they are never on disk
> > >>> unencrypted. Anyone that can read locked memory can access them, but
> > >>> this is very few users/processes on Linux -- and besides those same
> > >>> users will be able to read the key as you authenticate even if you
> > >>> don't use ssh-agent, as long as they time things right.
> > >>
> > >> OK, this sounds better! I posted to the gnupg-users, asking a similar
> > >> question about gpg-agent. I guess gpg-agent works the same way.
> > >
> > > Please post back your findings!
> >
> > Well, no responses yet in the gnupg-users list, so there are no findings
> > to post!  (Let's wait at least a few hours :))
> >
> > > What happens to the /tmp/ directory & socket file after the user logs
> > > out? Does it get deleted by the ssh-agent shutdown script?
> >
> > I didn't start using ssh-agent yet, but I tested it from the command
> > line and the directory was removed when I killed the ssh-agent process.
> >
> > > I am asking this because I seem to continuously accumulate a load of
> > > gpg-agent directories and socket files into my /tmp.  Unless of course
> > > gpg-agent works
> >
> > I suppose that has to do with the agent(s) working as daemons? I don't
> > like that kind of setup. This is what I intend to (try to) do:
> >
> > - One fixed socket, in some dedicated directory (no /tmp, no random name
> >    for the socket)
> > - The socket name as a fixed env variable, set in the shell config files
> > - Hence, no need to eval, etc
> > - No daemon (i.e. no backgrounding). Just a service supervised by
> >    daemontools. Logs go to a directory of my choosing and if the agent
> >    dies, it is ressurrected, and the socket (with the same name) is
> >    recreated (of course, keys must be added, then)
> > - A perl script to interact with the service, just in case.
> >
> > I think this is not difficult to do, unless I grossly misunderstood
> > something essential. (Comments, anyone?) I just don't see the need to
> > run the agent as subordinate of an X session or whatever (please someone
> > correct me if I'm wrong!) And if I don't want the service running when
> > I'm not logged in, I could bring it down with the perl script (in
> > ~/.bash_logout, maybe?)
> > For gpg-agent, I'm not so sure, but I hope it can be done too.
> >
> > > on a different principle all together.  My start up & shutdown scripts
> > > are in /etc/X11/Sessions/fluxbox.  Are they correct for this task?
> > > ================================================
> > > eval "$(gpg-agent --daemon)"
> > > /usr/bin/startfluxbox
> > > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2`
> > > ================================================
> > >
> > > Or should I have another line to 'rm -Rf /tmp/gpg-*'
>
> ssh-agent /bin/sh
>
> When you exit the shell, ssh-agent exits too (after cleaning up).
> Running the agent as a daemon means you have to tell it when to shut
> down as well (how would it know when to stop?).

Thanks Justin, the ssh-agent may clean up after its own lock-files, but the 
gpg-agent doesn't.  At least not when using my script above.  My /tmp is full 
of gpg-xxxx lock-files, which in the absence of a better solution I manually 
delete every now and then.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]