Created attachment 3220 [details] proposed patch In utilized servers and desktops, it is not uncommon that /tmp directory gets full and ssh services can not write any needed files in there. This affects the authentication information, local and forwarded ssh-agent sockets and forwarded kerberos tickets. This is solved for many applications [1], services and daemons already by using XDG_RUNTIME_DIR environment variable, which points to the location under /run/user, that is already private for a specific user. The advantage is that this variable is available both from PAM after authentication and in the user session. The attached patch implements using this environment variable if available and makes the above use cases more reliable (especially the authentication information files). On systems not providing this variable, there should be no overhead and fallback to the current method. [1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
I'd really love to see this patch applied.
I've managed to get an initial review of this patch at https://lists.mindrot.org/pipermail/openssh-unix-dev/2023-February/040555.html Jakub Jelen are you able to address the questions there (and post an updated PR so I can retire mine and you get full credit for your work)?