ssh-*.*

[ctlmd]

I have all these subdirectories starting with ssh- under my tmp directory, and I get the feeling they are just wasting space. Can somebody tell me what they are and whether I can just delete them? The first letter starts from a and goes to Z.
Thanks

[bwkaz]

I think they're SSH agent socket directories from agent instances that didn't get shut down properly.

The SSH protocol can do authentication based on private keys -- you put your public key on the SSH server, and you leave your private key on the machine you'll be ssh'ing from. If you can prove that you know the private key that corresponds to your public key on the target SSH server, then the SSH protocol considers you authenticated. The private key never actually goes across the network.

This is the best (most secure) way of doing password-less authentication with ssh.

However, if someone compromises the machine you ssh from (or, if you're not the admin of the machine in question), they can get your private key. To protect against this, it is recommended that you encrypt your private key with a passphrase (long, complex password). To use the private key, you must provide the passphrase.

There's where the problem comes in again: You need to provide the passphrase every time you try to use ssh. To help with this, a compromise between security (requiring the passphrase every time) and convenience (not encrypting it at all) was devised. ssh-agent is that compromise -- it's basically a secure place to store decrypted private keys. (I believe it even prevents the keys from being written to the swap file, but I'm not sure on that.) You add your private key to the agent with the ssh-add program, which prompts you for the passphrase. If you give it the correct one, then it adds the private key to the agent.

When the agent receives an authentication request, it uses its secure decrypted private key to authenticate. The ssh program will ask the agent to do authentication for it, if the agent is running. So will sftp and scp.

The directories in /tmp are a place for the agent to (mostly) securely store the socket that it uses to talk to various clients (ssh-add, ssh, sftp, scp, etc.). Root can still get at the socket, and thereby impersonate the user, so it's never recommended that you add keys to an agent that's running on a machine that you aren't root on.

(Linux allows programs to create sockets and bind them to filenames; normal permissions checks apply to any access on that socket, so it's more secure than standard IP sockets.)

When the agent shuts down, it's supposed to remove the socket and the directory that contains the socket. But it can't do this if it wasn't shut down cleanly.

Anyway, to make a much longer story short, you can delete every one of those directories that isn't currently being used. To find out which one is, you can do an echo $SSH_AUTH_SOCK, and the filename of the one that's being used will be printed. Delete all the other directories (their sockets aren't connected to anything anymore).