[Nix-dev] Re: [PATCH] autofs: Allow mounting ssufs-fuse filesystem using ssh-agents of the users only. There is afuse as well which might do a better job but that doesn't unmount automatically AFAIK. Using the example should prevent other users which are logged into your machinge using your mounts.

Marc Weber marco-oweber at gmx.de
Sat Dec 19 00:30:47 CET 2009


Excerpts from ludo's message of Sat Dec 19 00:17:09 +0100 2009:
> Hi Marc,
> 
> Marc Weber <marco-oweber at gmx.de> writes:
> 
> > The useful hack I wrote is a sshfs wrapper.
> > It uses pgrep to identify all runing ssh-agents.
> > It then defines SSH_AGENT_PID and
> > SSH_AUTH_SOCK and tries to mount the location.
> > If it fails the next ssh-agent is tried.
> > (Usually you only have one on your computer anyway..)
> 
> OK, thanks for explaining.
> 
> > Using arbitrary ssh-agents is very dangerous:
> > Consider someone else logging into your machine.
> > If you add the key he could do:
> >   cd /auto/you-remote-location
> 
> Indeed.
> 
> My feeling is that it’s something that ought to be discussed with
> sshfs-fuse upstream, not hacked around in a distro, because there seems
> to be a fundamental usability issue (using sshfs-fuse with
> passphrase-protected keys), and there’s probably a wealth of security
> pitfalls like the one you mention above.
> 
> What do you think?

Gentoo contains masked packages as well. They are still useful to some.
But if it's the case that I'm the only one being interested in this I
will write a howto on the wiki.

I'll commit all changes but the script now.
I can still put things up on the wiki..
That's what topgit is for.

About the keys: There were some mails in 2006. So it's unlikely that
anything is happening soon. If you use your computer yourself only it's
still very valuable (IMHO). Maybe you even want to try it sometime ?

Marc Weber



More information about the nix-dev mailing list