A surprise with switching to holding keys in ssh-agent

September 19, 2016

Every so often I want to transfer a root-only file from my office workstation off to another machine for analysis or the like (the reasons this is necessary are complex). So every so often I wind up doing this:

$ /bin/su
# scp /some/file cks@server:/tmp/foobar
cks@server's password: [...]

Except that I lied there. That password prompt is certainly what used to happen and it's what happens when I do this same operation from any of our servers, but on my office workstation the scp just works without any password challenge. The first time that this happened I was surprised for a bit, then I worked out what was happening.

What's happened is that I switched to holding my SSH keys in ssh-agent instead of having them sitting in $HOME/.ssh. Su'ing to root does not clear the environment variables that tell commands how to talk to my ssh-agent process and of course root has the permissions necessary to access the SSH agent authentication socket, so the root-run scp sees that it has a SSH agent available and uses it. Voila, passwordless access for root to my remote account. This doesn't happen on our servers because I don't forward my SSH agent to my account on our servers (I consider it too dangerous).

Of course root had just as much access to my keys back in the days of having them sitting unencrypted in $HOME/.ssh. The difference is that su'ing to root changes $HOME, so scp, ssh, and so on didn't look at ~cks/.ssh et al, they looked at ~root/.ssh and the latter didn't have my keys (or the SSH configuration that would have told SSH how to use the keys). It's the combination of using a SSH agent and su passing through the environment variables that make SSH programs to talk to it that leads to this particular result.

Also, this is specific to habitually using su instead of sudo. By default, sudo preserves only a relatively few environment variables and removes everything else, and the SSH agent environment variables aren't among the environment variables that make it through. Su is from an older era and so generally defaults to preserving almost everything (for good or bad, take your pick).

(Since sudo passes through things like $XAUTHORITY and $DISPLAY, arguably it should also pass through the SSH agent environment variables. But it doesn't now and I expect that it's unlikely to ever change the default; regardless of any merits of a change, there are too many arguments that anti-change people could muster here.)

Written on 19 September 2016.
« My view on spam and potential denial of service attacks on anti-spam systems
Today I learned that you want to use strace -fp »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Sep 19 23:28:40 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.