Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I use many terminal windows and/or virtual consoles on Linux, often as many as 60 of them. I'm now trying to start using ssh-agent to keep my SSH keys encrypted. What I am finding is that using ssh-agent on each creates multiple instances. That doesn't work very well. It seems what I need to do is create one instance and get all the information shared into the environment space of each terminal/console instance. Before I go off to design something to do that, I'm just wondering if it has been done, already.
My first thought is to start the ssh-agent from a script which captures the named socket path and makes a fixed symlink pointing to it. Of course, this defeats obscurity of the path, but is that real security (answer: no). Another symlink is made to store the PID. Then I would have a bash alias or command function in the login shell for each terminal that can refresh the environment variables from those known symlinks. I would run that in each login shell. Alternatively, an ssh wrapper script would pick up those values to pass directly to the real ssh program. What security risks might this be creating?
The first security issue I found was one of my own making. I had "ForwardAgent yes" in my .ssh/config files. That's fixed, now. That would not work well when accessing servers where other admins have root access. It will have to be specific to fully trusted machines.
Here's what I started dabbling with on my own called "start-ssh-agent":
Code:
#!/bin/bash
cd || exit 1
if [[ -n "${kill}" || -n "${KILL}" ]] ; then
if [[ -L .ssh_agent_pid ]] ; then
ssh_agent_pid=$( exec readlink .ssh_agent_pid )
kill -TERM "${ssh_agent_pid}" 2>/dev/null
sleep 1
kill -KILL "${ssh_agent_pid}" 2>/dev/null
fi
else
if [[ -L .ssh_agent_pid ]] ; then
ssh_agent_pid=$( exec readlink .ssh_agent_pid )
echo "SSH agent already active at process ID ${ssh_agent_pid}"
echo "kill it or run: kill=yes start-ssh-agent" "$@"
exit 1
fi
fi
if [[ -L .ssh_auth_sock ]] ; then
ssh_auth_sock=$( exec readlink .ssh_auth_sock )
rm -fv "${ssh_auth_sock}"
rm -f .ssh_auth_sock
fi
eval $( exec ssh-agent -s ) 1>/dev/null
ln -fns "${SSH_AUTH_SOCK}" .ssh_auth_sock
ln -fns "${SSH_AGENT_PID}" .ssh_agent_pid
ls -dGl .ssh_auth_sock
ls -dGl .ssh_agent_pid
exit 0
Now I need to either set up a bash alias/function to set these variables in its environment, or make an ssh wrapper that picks them up and sets them in that context. Since I already have an ssh wrapper for other reasons, I'll favor that for my first attempt.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
