OpenSSH has a feature that allows you to multiplex connections over a controlsocket. It is generally accepted that these control sockets should not reside in a common area, due to the security issues that are raised from publicly accessible sockets.
It is also a general policy to use something like ~/.ssh/sockets as the location for the sockets. This poses a problem which I've been tinkering with for a while.
When the master process is terminated forcefully and the cleanup is not done, your socket store will get littered with leftover sockets that you need to manually clear. Examples of such a case would be a power loss or other hardware failure.
Modern Linux distributions all carry /run which contains volatile runtime data along with /run/user/<uid> which is intended for per user volatile runtime data. The directory is only accessible by the owner and is created by the system for the user.
Considering that control sockets fit perfectly to this description, I would love to transfer the socket there. Yet, there are certain problems OpenSSH configuration only allows you to address the current user by the userame, where as the directory is created for the UID of the user. I share my general configuration between hosts, so hardcoding the UID in the configuration is not something I want to do.
What I'm looking for is a clean solution that allows one to use a generic OpenSSH configuration in such a way that the sockets are cleared on boot.
Best Answer
Since OpenSSH 7.2, which was released in February 2016,
%iis now supported inControlPathexpression, which expands to numeric UID.For example,
Alternatively, if newer OpenSSH is not available, you can consider using
/dev/shmfor storing temporary data. It's world-writeable and is alwaystmpfs. Although it's accessible to other users, control sockets themselves have proper access rights, so it should be safe.https://superuser.com/questions/45342/when-should-i-use-dev-shm-and-when-should-i-use-tmp