4

I've found something odd in my system monitor. In my process list was 'ssh-agent', now I'm not too familiar with SSH but I know that it can't be normal for an SSH service to be running on a VANILLA desktop Ubuntu installation. I've ran rkhunter and it came back with nothing in particular.

I ran this command and here are the results:

trev@trev-pc:~$ ps -aux | grep ssh
trev     1635  0.0  0.0  11140    48 ?        Ss   Feb18   0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch mate-session
trev    15992  0.0  0.0  15192  2144 pts/1    S+   20:06   0:00 grep --color=auto ssh

What's going on here? Is this something to be concerned about?

LiveWireBT
  • 29,617
ctrev
  • 109

1 Answers1

19

No, this is not something to be concerned about. This is ssh-agent, not sshd, which is the SSH daemon. If you have a look at man ssh-agent:

 ssh-agent is a program to hold private keys used for public key
 authentication (RSA, DSA, ECDSA, ED25519).  The idea is that ssh-agent is
 started in the beginning of an X-session or a login session, and all
 other windows or programs are started as clients to the ssh-agent
 program.

The way it works is that when you use SSH to connect to somewhere (the command-line client ssh is installed by default, and other programs, like the file browser can also act as SSH clients), the connecting program will use the agent instead of loading the private key itself:

 The agent will never send a private key over its request channel.
 Instead, operations that require a private key will be performed by the
 agent, and the result will be returned to the requester.  This way,
 private keys are not exposed to clients using the agent.

The benefits are that you only need to unlock the private key once per session (the agent will then store it in memory), and clients never see your unencrypted private key directly.

It's the opposite of a backdoor, in a way.

muru
  • 207,970
  • Thank you, I'm not very good with this kind of stuff! I appreciate the well written reply. – ctrev Feb 21 '16 at 04:29
  • What prevents someone from spoofing the result that the keys match? – Liam Clink Jan 27 '20 at 03:08
  • 1
    @LiamClink The mathematics behind public key authentication essentially mean that computing a matching result is practically impossible without the private key (depending on key sizes, etc.). – muru Mar 19 '20 at 02:34
  • That means that the "matched" result isn't just a true/false, how then is it determined whether the keys match in a way that prevents spoofing? – Liam Clink Mar 21 '20 at 06:05
  • 1
    @Liam https://security.stackexchange.com/a/23243/54387, https://ssd.eff.org/en/module/deep-dive-end-end-encryption-how-do-public-key-encryption-systems-work#3 – muru Mar 21 '20 at 06:20