diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-11 02:54:28 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-27 18:18:39 -0300 |
commit | 90f2d736948ae069fc8d43d2fe5566b0c2c70b59 (patch) | |
tree | 26a15a4e30ae3792992a859b027a11ac35cb5b2b /src/fbuilder | |
parent | ssh: deny access to the rest of /etc/ssh/* (diff) | |
download | firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.gz firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.zst firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.zip |
allow-ssh.inc: allow access to ssh-agent(1)
Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.
From ssh(1):
> The most convenient way to use public key or certificate
> authentication may be with an authentication agent. See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.
$ pacman -Q openssh
openssh 8.4p1-2
With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:
ignore noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/config
noblacklist ${HOME}/.ssh/config.d
noblacklist ${HOME}/.ssh/known_hosts
And then this on the profiles of ssh key pair managers, such as
seahorse.local:
noblacklist ${HOME}/.ssh
Diffstat (limited to 'src/fbuilder')
0 files changed, 0 insertions, 0 deletions