[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: SSH & xauth
From:       Robert Watson <robert () cyrus ! watson ! org>
Date:       2000-02-29 2:45:34
[Download RAW message or body]

On Sat, 26 Feb 2000, David Pybus wrote:

> The issue here has nothing to do with xauth and everything to do with the
> trust granted by SSH. If you use SSH to connect to boxes that you don't
> trust or can't be confident are secure then you should be concerned about
> this. The major threat I see here is that a rooted box could be used to gain
> access to a secure box through the SSH tunnel, even if the secure box is
> behind a firewall that only allows outbound connections.

Since we're discussing problems with the default SSH/OpenSSH trust model,
and X11 is now considered to be risky, we might as well follow on to the
natural successor in the ``disable it due to safety'' world--the automatic
forwarding of access to the authentication agent.  By default, if you make
use of the authentication agent for key management, any host you connect
to will gain access to the ability to use the authentication agent.  In
the untrusted server scenario we've been discussing, this would present a
significant risk, as anyone exploiting access to the authentication agent
could gain any rights normally authorized by demonstration of the keying
material in use.

I.e., suppose you distributed a single identity.pub to a number of hosts
as authorized_key to log in.  Suppose you make use of ssh-agent, and
ssh-add, to cache the keying material for use.  Now suppose one of those
hosts is compromised--for the lifetime of your ssh connection, the cracker
of the compromised host can log into any account on the other hosts using
that authorized_keys.

If we're switching to a model where X11 forwarding is disabled by default
on the client, we should also consider disabling agent forwarding, which
can present a similar and significant risk.

  Robert N M Watson

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

[prev in list] [next in list] [prev in thread] [next in thread]