If you are aiming for a daemon that acts like ssh-agent
or gpg-agent
, then you probably don't want a RequestKey
operation.
Those other agents are designed such that the private key is never sent to the client process. So rather than ssh
retrieving the private key from the agent so it can perform challenge based authentication, it sends the challenge to the agent which then returns the signed version of the challenge ready to be sent to the server.
To put it simply, if the agent never sends the private key over the IPC mechanism, then the IPC mechanism can't be used to snoop on the private key.
If you want to further improve the security of your agent, if you are using UNIX domain sockets on Linux you can make use of the SO_PEERCRED
socket option to query the identity of who you are talking to:
func getPeerCred(conn net.Conn) (*syscall.Ucred, error) {
file, err := conn.(*net.UnixConn).File()
if err != nil {
return nil, err
}
defer file.Close()
return syscall.GetsockoptUcred(int(file.Fd()), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
}
The returned Ucred
structure tells you the process, user, and group IDs of the party at the other end of the socket. You can use this information to decide whether or not you want to communicate with them. The information comes from the kernel, so can not be forged by the client.