I use oh-my-zsh's ssh-agent plugin to have a static symlink to my current SSH_AUTH_SOCK
created. When connecting through SSH with agent forwarding enabled the file /tmp/ssh-agent-$USER-screen
is symlinked to /tmp/ssh-<whatever>/agent.<some numbers>
:
agross@router ~
$ ls -la /tmp/ssh-agent*
lrwxrwxrwx. 1 agross agross 30 Jan 7 21:35 /tmp/ssh-agent-agross-screen -> /tmp/ssh-uoof1WiDSw/agent.7745
agross@router ~
$ ls -la /tmp/ssh-uoof1WiDSw/
srwxr-xr-x. 1 agross agross 0 Jan 7 21:35 agent.7745
I tested the symlink successfully with ssh-add -l
:
agross@router ~
$ ssh-add -l
2048 15:5a:dd... /home/agross/.ssh/id_rsa (RSA)
agross@router ~
$ echo $SSH_AUTH_SOCK
/tmp/ssh-agent-agross-screen
As soon as I su
I cannot access the symlink anymore, but the symlink target works fine.
[root@router ~]# socat -v - UNIX-CONNECT:/tmp/ssh-agent-agross-screen
2016/01/07 21:51:04 socat[16054] E connect(3, AF=1 "/tmp/ssh-agent-agross-screen", 30): Permission denied
[root@router ~]# socat - UNIX-CONNECT:/tmp/ssh-uoof1WiDSw/agent.7745
<empty line is printed so I guess I'm connected>
[root@router ~]# echo $SSH_AUTH_SOCK
/tmp/ssh-agent-agross-screen
[root@router ~]# ssh-add -l
Could not open a connection to your authentication agent.
[root@router ~]# SSH_AUTH_SOCK=/tmp/ssh-uoof1WiDSw/agent.7745 ssh-add -l
2048 15:5a:dd... /home/agross/.ssh/id_rsa (RSA)
I researched that the permissions on the symlink are not evaluated, rather the permissions on the symlink target are relevant to decide weather a user (root even?) is able to access a file. And accessing the symlink target works flawlessly.
What could be the problem here?
I'm running CentOS 7, in case it matters. Thank you!
Updated afters questions:
SSH_AUTH_SOCK
is exported
I don't think it matters w.r.t. not being able to connect to the symlink with socat
, though.
[root@router ~]# export | grep SSH
declare -x SSH_AUTH_SOCK="/tmp/ssh-agent-agross-screen"
SELinux
Seems like that doesn't matter as well.
[root@router ~]# getenforce
Enforcing
[root@router ~]# setenforce 0
[root@router ~]# socat - UNIX-CONNECT:/tmp/ssh-agent-agross-screen
2016/01/08 09:54:09 socat[21673] E connect(3, AF=1 "/tmp/ssh-agent-agross-screen", 30): Permission denied
[root@router ~]# setenforce 1
[root@router ~]# socat - UNIX-CONNECT:/tmp/ssh-agent-agross-screen
2016/01/08 09:54:45 socat[21675] E connect(3, AF=1 "/tmp/ssh-agent-agross-screen", 30): Permission denied
Symlink in ~ vs symlink in /tmp
Thanks to @masm for the pointer. A symlink in my home directory works, whereas the symlink in /tmp doesn't.
[root@router ~]# ls -lZ /home/agross
lrwxrwxrwx. agross agross unconfined_u:object_r:user_home_t:s0 foo -> /tmp/ssh-QlnhyjUQDp/agent.15895
[root@router ~]# socat -v - UNIX-CONNECT:/home/agross/foo
<empty line>
[root@router ~]# ls -lZ /tmp
lrwxrwxrwx. agross agross unconfined_u:object_r:user_tmp_t:s0 ssh-agent-agross-screen -> /tmp/ssh-QlnhyjUQDp/agent.15895
[root@router ~]# socat -v - UNIX-CONNECT:/tmp/ssh-agent-agross-screen
2016/01/08 18:14:48 socat[15989] E connect(3, AF=1 "/tmp/ssh-agent-agross-screen", 30): Permission denied
Best Answer
fs.protected_symlinks=1
was the culprit:Kudos: https://askubuntu.com/questions/599719/how-can-i-set-a-symlink-from-tmp-mysql-sock