Would it be possible to or configure (or patch) openssl to put the ssh-xxx directories created by the ssh-agent to /var/run rather than /tmp? I am asking because on a highly frequented system those directories clutter /tmp up considerably and IMHO they don't really belong there. I can provide the necessary diff, if you're interested, but I don't dare to touch the ebuild file yet; I just got started on those. :-)
Sorry, I said "openssl" in the text but meant "openssh".
okay attach the diffs please (or email them to me) and i'll look into it as soon as i have them. -phoen][x-
received your mail and patched the ebuild. this is the diff gravity openssh # diff -ru openssh-3.2.3_p1-r1.ebuild openssh-3.2.3_p1-r2.ebuild --- openssh-3.2.3_p1-r1.ebuild Wed Jun 5 01:20:50 2002 +++ openssh-3.2.3_p1-r2.ebuild Sat Jun 22 07:29:37 2002 @@ -24,6 +24,13 @@ SRC_URI="ftp://ftp.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/${PARCH}.tar.gz" S=${WORKDIR}/${PARCH} +src_unpack() { + unpack ${A} ; cd ${S} + # make ssh-agent go to /var/run instead of /tmp + patch -p1 < ${FILESDIR}/openssh-3.2.3_p1.patch || die + +} + src_compile() { local myconf use tcpd || myconf="${myconf} --without-tcp-wrappers" @@ -51,6 +58,10 @@ } src_install() { + mkdir -p ${D}/var/run/ssh-agent + chmod 1777 ${D}/var/run/ssh-agent + touch ${D}/var/run/ssh-agent/.keep + make install-files DESTDIR=${D} || die dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd =====================EOF================================================== next thing you need is a file called /usr/portage/net-misc/openssh/files/openssh-3.2.3_p1.patch which contains your diffs. i'll attach the file to this mail. emerge openssh, and it should install the new candidate (-r2) - after that restart sshd and see if it works. it doesnt create any files in /var/run/ssh-agents over here, but hey - it didnt create stuff in /tmp in the first place either. good luck, and tell me if it works, please. btw, Mails kannst du ruhig auf deutsch schreiben. :)
Created attachment 1681 [details, diff] /usr/portage/net-misc/openssh/files/openssh-3.2.3_p1.patch
It would appear to me that a user could fill up /var if they have rw access. Quotas may not exist for the /var specifically. These socket files are owned by the users, so you have to make the directory user read/write. I do not want ANY user touching my /var, particularly outside of /var/spool/. I'd suggest moving them into a directory within /tmp. Poenix's patch can be modified to use something like /tmp/ssh-agent instead of the /var/run/ssh-agent.
The patch file you attached will patch OpenSSL to use /var/run/ssh-xxxx as the directory holding the socket. In the ebuild file you create an directory /var/run/ssh-agent, though. This appears to be a mistake -- at least I cannot see why this directory would be needed ... I assume you meant the ssh-xxxx socket directories to go in there right? Concerning Nicholas' comment about the users being able to fill up /var in this setup: I understand your concern, but as far as I can tell, the users do have several locations with write permissions in /var already anyway. Most prominently, /var/tmp comes to my mind. Also, they can use "crontab" to generate arbitrarily sized files in /var/spool/cron/contabs, if they intend to. Depending on the installation, there's probably more. As a compromise, I would suggest leaving the .ssh-xxx directories in /tmp, but to use /tmp/.ssh-xxxx instead, so that at least they are not visible all the time. That should make everybody happy. I will also contact the OpenSSH guys about this ... Maybe they'll even change their distribution accordingly.
Do we have any word on this? Was the idea submitted upstream?
Did we lose interest? Closing. Reopen if necessary.
Sorry for the long delay answered this, but I was traveling a lot recently and didn't really have network connectivity nor time to worry about much but my work! Anyway, I have news: I humbly submitted the request with the OpenSSH guys and was turned down violently. Apparently, those extremely bright and way superior super-humans think that whatever reason I have for not wanting to see the ssh-xxx socket directories in my /tmp directory is not valid and that I am generally an idiot for even wanting such a thing. So there is little to no chance of actually getting this change into the OpenSSH distribution itself. :-(
