diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-11 02:54:28 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-27 18:18:39 -0300 |
commit | 90f2d736948ae069fc8d43d2fe5566b0c2c70b59 (patch) | |
tree | 26a15a4e30ae3792992a859b027a11ac35cb5b2b /etc/inc | |
parent | ssh: deny access to the rest of /etc/ssh/* (diff) | |
download | firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.gz firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.zst firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.zip |
allow-ssh.inc: allow access to ssh-agent(1)
Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.
From ssh(1):
> The most convenient way to use public key or certificate
> authentication may be with an authentication agent. See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.
$ pacman -Q openssh
openssh 8.4p1-2
With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:
ignore noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/config
noblacklist ${HOME}/.ssh/config.d
noblacklist ${HOME}/.ssh/known_hosts
And then this on the profiles of ssh key pair managers, such as
seahorse.local:
noblacklist ${HOME}/.ssh
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/allow-ssh.inc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 48b1f91ba..67c78a483 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc | |||
@@ -5,3 +5,4 @@ include allow-ssh.local | |||
5 | noblacklist ${HOME}/.ssh | 5 | noblacklist ${HOME}/.ssh |
6 | noblacklist /etc/ssh | 6 | noblacklist /etc/ssh |
7 | noblacklist /etc/ssh/ssh_config | 7 | noblacklist /etc/ssh/ssh_config |
8 | noblacklist /tmp/ssh-* | ||