This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

ssh-agent not working with McAfee: a workaround with modified ssh-agent

From: Tim Beuman <timb at cdvinc dot com>
To: cygwin at cygwin dot com
Date: Fri, 13 Oct 2006 13:47:05 -0700
Subject: ssh-agent not working with McAfee: a workaround with modified ssh-agent

Hi,

I made a modified version of ssh-agent so it can run under cygrunsrv
under the local system account. This seems to work fine without having
to disable or uninstall McAfee.

Note: this is not an official update. It is a version I made for my own
purposes but others might find it usable too.

Changes I made:
1) Added a -r flag which prevents ssh-agent from forking.
2) Replaced fprintf(stderr,...) with logit(...) for logging to the event
log when running under cygrunsrv.
3) Added a source file (ssh-agent-reg.c) which contains a routine to
register the SSH_AUTH_SOCK in the global environment variable list of
windows (through the windows registry).
4) Qualified all identity(key) accesses with the euid/egid as presented
when adding the key initially.
Reason: when running ssh-agent under the SYSTEM account, all keys are
potentially accessible for everyone (security issue). Solution: when
adding a key, the euid and egid as obtained from getpeereid() are stored
together with the key. All subsequent accesses to that stored key are
restricted to the user which added the key (based on the euid and egid
obtained using getpeereid()). This basically limits access to the keys
to their creators only.
5) Added TAILQ_FOREACH_SAFE macro to openbsd-compat/sys-queue.h (needed
to remove only the keys for the invoking user when using ssh-add -D).

Notes:
Changes 1 and 4 are conditional compiled using #ifdef __CYGWIN__/#endif.
Change 3 is based on a solution that Karl M posted earlier (subject:
"Re: how to make ssh-agent automatically").

The changes are based on the source code of openssh-4.4p1-1.

I have tested these modifications on a W2K machine only. The registry
functions should work for Windows 95 upwards (according to their
description on the Microsoft website) so potentially this modified
version should work under W95 an up also but I haven't verified that.

To install ssh-agent as service under cygrunsrv I use:

cygrunsrv -I ssh-agent -p /usr/bin/ssh-agent -a "-r" -o

To start the service:

either:

cygrunsrv -S ssh-agent

or:

net start ssh-agent

In my .bash_login I added:

ssh-add -l > /dev/null 2>&1
if [ $? -eq 1 ]; then
   ssh-add
fi

Attached the modified source files and the modified Makefile.

Tim

Attachment: ssh-agent-reg.c
Description: Text document

Attachment: ssh-agent.c
Description: Text document

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]