On 19.07.23 16:40, Damien Miller wrote:
> Exploitation can also be prevented by starting ssh-agent(1) with an
> empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
> an allowlist that contains only specific provider libraries.
Upon trying to deploy such a workaround, I found that the call to
ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup
mechanisms. (As in, did "find | xargs grep ssh-agent" and such across
the entire OS install and *still* haven't found it.)
Feature request: Please consider giving ssh-agent(1) a config file(s) to
drop at least the potentially security-relevant options into.
(One would think that when the maintainers of hulking package X call out
to an executable of entirely different package Y that has a nontrivial
command line syntax, it'd be a no-brainer to put an X-maintained wrapper
script in between, just in case that the maintainers of Y pull an
ncat(1) and rename a bunch of options, but noooo ...)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
> Exploitation can also be prevented by starting ssh-agent(1) with an
> empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
> an allowlist that contains only specific provider libraries.
Upon trying to deploy such a workaround, I found that the call to
ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup
mechanisms. (As in, did "find | xargs grep ssh-agent" and such across
the entire OS install and *still* haven't found it.)
Feature request: Please consider giving ssh-agent(1) a config file(s) to
drop at least the potentially security-relevant options into.
(One would think that when the maintainers of hulking package X call out
to an executable of entirely different package Y that has a nontrivial
command line syntax, it'd be a no-brainer to put an X-maintained wrapper
script in between, just in case that the maintainers of Y pull an
ncat(1) and rename a bunch of options, but noooo ...)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
Attached Files:
-
smime.p7s (3.37 KB)