ssh: listener sockets relocated from /tmp to ~/.ssh/agent

A longdiscussionon tech@(initiated by asuggestion/patch from Jesper Wallin)has culminated in Damien Miller (djm@)committingchanges which increase security by taking advantage of the use ofunveil(2)elsewhere in the OpenBSD ecosystem:

CVSROOT:/cvsModule name:srcChanges by:djm@cvs.openbsd.org2025/05/04 20:48:07Modified files:usr.bin/ssh/sshd-session: Makefile usr.bin/ssh/sshd-auth: Makefile usr.bin/ssh/ssh-agent: Makefile usr.bin/ssh : ssh-agent.c ssh-agent.1 session.c pathnames.h misc.h misc.c hostfile.c Log message:Move agent listener sockets from /tmp to under ~/.ssh/agent for bothssh-agent(1) and forwarded sockets in sshd(8).This ensures processes (such as Firefox) that have restrictedfilesystem access that includes /tmp (via unveil(3)) do not have theability to use keys in an agent.

Read more...