home tags events about login

horia rss

just a simple OpenBSD appreciator

horia bonked 05 May 2025 06:26 -0700
original: brynet@bsd.network

A very welcome change in #OpenBSD -current that impacts software which restrict filesystem access with unveil(2), but permit access to /tmp (like web browsers).

ssh-agent(1) listener sockets and forwarded sockets in sshd(8) will now be under ~/.ssh/agent instead.

djm@ modified src/usr.bin/ssh/*: Move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).

This ensures processes (such as Firefox) that have restricted filesystem access that includes /tmp (via unveil(3)) do not have the ability to use keys in an agent.

Moving the default directory has the consequence that the OS will no longer clean up stale agent sockets, so ssh-agent now gains this
ability.

To support $HOME on NFS, the socket path includes a truncated hash of the hostname. ssh-agent will by default only clean up sockets from the same hostname.

ssh-agent gains some new flags: -U suppresses the automatic cleanup of stale sockets when it starts. -u forces a cleanup without keeping a running agent, -uu forces a cleanup that ignores the hostname. -T makes ssh-agent put the socket back in /tmp.

feedback deraadt@ naddy@
doitdoitdoit deraadt@

#OpenSSH