what is ssh-sgent?

andy baxter andy at earthsong.free-online.co.uk
Sat May 3 20:27:01 UTC 2008 

John K Masters wrote:
> On 20:50 Sat 03 May     , andy baxter wrote:
>   
>> John K Masters wrote:
>>     
>>> On 20:11 Sat 03 May     , andy baxter wrote:
>>>   
>>>       
>>>> Hello,
>>>>
>>>> Could someone tell me what ssh-agent is? I have the following process 
>>>> running on my computer, and I'm not sure what it does:
>>>>
>>>>         
>>> If you have not explicitly installed ssh on your machine (IIRC it is not
>>> installed by default) then I would look closely at the possibility your
>>> machine has been compromised. However, depending on what applications
>>> you have installed, ssh may have been pulled in as a dependancy.
>>>
>>>   
>>>       
>> I sometimes ssh to a local machine on my network (a small web server), 
>> so it's possible this is kosher. I haven't done this since I booted up 
>> though, and that machine isn't even switched on at the moment. The 
>> program doesn't seem to have any open sockets at the moment:
>> root at monkey:~# netstat --program | grep ssh
>> root at monkey:~#
>>
>>     
>
> Shouldn't be a problem then. I use ssh-agent every day to manage a
> remote server. It allows me to disable password access to, hopefully,
> foil the dozen or so attempts per day to break into the server. Also
> root login disabled. 
>
> If your server is not out there on the web then you almost certainly
> have nothing to worry about.
>   
The server is on the web when it's switched on - I have an ADSL router 
which is set to forward traffic on port 80 to port 80 of the server. So 
it is possible the server has been compromised and then used to break 
into my other machine. I don't have a firewall running on my laptop 
because I thought it was safe having no outward facing server processes 
- just apache and sometimes mysql running on localhost. But I may be 
wrong here - netstat --program -al gives (truncated):

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 localhost:2208 *:* LISTEN 5
021/hpiod
tcp 0 0 localhost:www *:* LISTEN 5
359/apache2
tcp 0 0 192.168.1.3:domain *:* LISTEN 4
957/named
tcp 0 0 localhost:domain *:* LISTEN 4
957/named
tcp 0 0 localhost:ipp *:* LISTEN 5
877/cupsd
tcp 0 0 localhost:smtp *:* LISTEN 5
166/master
tcp 0 0 localhost:953 *:* LISTEN 4
957/named
tcp 0 0 localhost:2207 *:* LISTEN 5
024/python
tcp 0 0 192.168.1.3:2579 mail.free-online.n:pop3 TIME_WAIT -

tcp6 0 0 *:domain *:* LISTEN 4
957/named
tcp6 0 0 ip6-localhost:953 *:* LISTEN 4
957/named
udp 0 0 *:1024 *:* 4
957/named
udp 0 0 192.168.1.3:domain *:* 4
957/named
udp 0 0 localhost:domain *:* 4
957/named
udp 0 0 *:bootpc *:* 1
7718/dhclient
udp6 0 0 *:1025 *:* 4
957/named
udp6 0 0 *:domain *:* 4
957/named

I think this means named has an incoming port open. Is this a good idea 
(I don't think I need it) and should I just disable it?

More information about the ubuntu-users mailing list