ssh-agent Vulnerability...

发布: 1998-01-20
修订: 2020-04-23

In order to avoid forcing users of RSA based authentication to go through the trouble of retyping their pass phrase every time they wish to use ssh, slogin, or scp, the SSH package includes a program called ssh-agent, which manages RSA keys for the SSH program. The ssh-agent program creates a mode 700 directory in /tmp, and then creates an AF_UNIX socket in that directory. Later, the user runs the ssh-add program, which adds his private key to the set of keys managed by the ssh-agent program. When the user wishes to access a service which permits him to log in using only his RSA key, the SSH client connects to the AF_UNIX socket, and asks the ssh-agent program for the key. Unfortunately, when connecting to the AF_UNIX socket, the SSH client is running as super-user, and performs insufficient permissions checking. This makes it possible for users to trick their SSH clients into using credentials belonging to other users. The end result is that any user who utilizes RSA...