diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-11 02:54:28 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-27 18:18:39 -0300 |
commit | 90f2d736948ae069fc8d43d2fe5566b0c2c70b59 (patch) | |
tree | 26a15a4e30ae3792992a859b027a11ac35cb5b2b /etc/profile-m-z/ssh-agent.profile | |
parent | ssh: deny access to the rest of /etc/ssh/* (diff) | |
download | firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.gz firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.zst firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.zip |
allow-ssh.inc: allow access to ssh-agent(1)
Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.
From ssh(1):
> The most convenient way to use public key or certificate
> authentication may be with an authentication agent. See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.
$ pacman -Q openssh
openssh 8.4p1-2
With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:
ignore noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/config
noblacklist ${HOME}/.ssh/config.d
noblacklist ${HOME}/.ssh/known_hosts
And then this on the profiles of ssh key pair managers, such as
seahorse.local:
noblacklist ${HOME}/.ssh
Diffstat (limited to 'etc/profile-m-z/ssh-agent.profile')
-rw-r--r-- | etc/profile-m-z/ssh-agent.profile | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 60c7b510c..5802299a3 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile | |||
@@ -6,8 +6,6 @@ include ssh-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /tmp/ssh-* | ||
10 | |||
11 | # Allow ssh (blacklisted by disable-common.inc) | 9 | # Allow ssh (blacklisted by disable-common.inc) |
12 | include allow-ssh.inc | 10 | include allow-ssh.inc |
13 | 11 | ||