From 90f2d736948ae069fc8d43d2fe5566b0c2c70b59 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Mon, 11 Jan 2021 02:54:28 -0300
Subject: allow-ssh.inc: allow access to ssh-agent(1)

Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.

From ssh(1):

> The most convenient way to use public key or certificate
> authentication may be with an authentication agent.  See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.

    $ pacman -Q openssh
    openssh 8.4p1-2

With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:

    ignore noblacklist ${HOME}/.ssh
    noblacklist ${HOME}/.ssh/config
    noblacklist ${HOME}/.ssh/config.d
    noblacklist ${HOME}/.ssh/known_hosts

And then this on the profiles of ssh key pair managers, such as
seahorse.local:

    noblacklist ${HOME}/.ssh
---
 etc/inc/allow-ssh.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'etc/inc/allow-ssh.inc')

diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 48b1f91ba..67c78a483 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -5,3 +5,4 @@ include allow-ssh.local
 noblacklist ${HOME}/.ssh
 noblacklist /etc/ssh
 noblacklist /etc/ssh/ssh_config
+noblacklist /tmp/ssh-*
-- 
cgit v1.2.3-70-g09d2