diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-11 02:54:28 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-27 18:18:39 -0300 |
commit | 90f2d736948ae069fc8d43d2fe5566b0c2c70b59 (patch) | |
tree | 26a15a4e30ae3792992a859b027a11ac35cb5b2b /etc/profile-m-z | |
parent | ssh: deny access to the rest of /etc/ssh/* (diff) | |
download | firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.gz firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.zst firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.zip |
allow-ssh.inc: allow access to ssh-agent(1)
Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.
From ssh(1):
> The most convenient way to use public key or certificate
> authentication may be with an authentication agent. See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.
$ pacman -Q openssh
openssh 8.4p1-2
With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:
ignore noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/config
noblacklist ${HOME}/.ssh/config.d
noblacklist ${HOME}/.ssh/known_hosts
And then this on the profiles of ssh key pair managers, such as
seahorse.local:
noblacklist ${HOME}/.ssh
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r-- | etc/profile-m-z/seahorse.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/ssh-agent.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/ssh.profile | 1 |
3 files changed, 0 insertions, 4 deletions
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 0f91c79ec..065409e78 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -9,7 +9,6 @@ include globals.local | |||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | 10 | ||
11 | noblacklist ${HOME}/.gnupg | 11 | noblacklist ${HOME}/.gnupg |
12 | noblacklist /tmp/ssh-* | ||
13 | 12 | ||
14 | # Allow ssh (blacklisted by disable-common.inc) | 13 | # Allow ssh (blacklisted by disable-common.inc) |
15 | include allow-ssh.inc | 14 | include allow-ssh.inc |
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 60c7b510c..5802299a3 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile | |||
@@ -6,8 +6,6 @@ include ssh-agent.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /tmp/ssh-* | ||
10 | |||
11 | # Allow ssh (blacklisted by disable-common.inc) | 9 | # Allow ssh (blacklisted by disable-common.inc) |
12 | include allow-ssh.inc | 10 | include allow-ssh.inc |
13 | 11 | ||
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 3ddd96df4..641c3a79d 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -7,7 +7,6 @@ include ssh.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist /tmp/ssh-* | ||
11 | # nc can be used as ProxyCommand, e.g. when using tor | 10 | # nc can be used as ProxyCommand, e.g. when using tor |
12 | noblacklist ${PATH}/nc | 11 | noblacklist ${PATH}/nc |
13 | noblacklist ${PATH}/ncat | 12 | noblacklist ${PATH}/ncat |