Contributed by rueda on from the no sock for tmp dept.
A long
discussion
on tech@
(initiated by a
suggestion/patch from Jesper Wallin)
has culminated in Damien Miller (djm@)
committing
changes which increase security by taking advantage of the use of
unveil(2)
elsewhere in the OpenBSD ecosystem:
CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/05/04 20:48:07 Modified files: usr.bin/ssh/sshd-session: Makefile usr.bin/ssh/sshd-auth: Makefile usr.bin/ssh/ssh-agent: Makefile usr.bin/ssh : ssh-agent.c ssh-agent.1 session.c pathnames.h misc.h misc.c hostfile.c Log message: Move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). This ensures processes (such as Firefox) that have restricted filesystem access that includes /tmp (via unveil(3)) do not have the ability to use keys in an agent.
Moving the default directory has the consequence that the OS will no longer clean up stale agent sockets, so ssh-agent now gains this ability. To support $HOME on NFS, the socket path includes a truncated hash of the hostname. ssh-agent will by default only clean up sockets from the same hostname. ssh-agent gains some new flags: -U suppresses the automatic cleanup of stale sockets when it starts. -u forces a cleanup without keeping a running agent, -uu forces a cleanup that ignores the hostname. -T makes ssh-agent put the socket back in /tmp. feedback deraadt@ naddy@, doitdoitdoit deraadt@
That's it, a snoop-resistant ssh is coming soon,
to -current on your neighborhood
OpenBSD mirror.