Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH & xauth
From: robert () CYRUS WATSON ORG (Robert Watson)
Date: Mon, 28 Feb 2000 21:45:34 -0500

On Sat, 26 Feb 2000, David Pybus wrote:

The issue here has nothing to do with xauth and everything to do with the
trust granted by SSH. If you use SSH to connect to boxes that you don't
trust or can't be confident are secure then you should be concerned about
this. The major threat I see here is that a rooted box could be used to gain
access to a secure box through the SSH tunnel, even if the secure box is
behind a firewall that only allows outbound connections.

Since we're discussing problems with the default SSH/OpenSSH trust model,
and X11 is now considered to be risky, we might as well follow on to the
natural successor in the ``disable it due to safety'' world--the automatic
forwarding of access to the authentication agent.  By default, if you make
use of the authentication agent for key management, any host you connect
to will gain access to the ability to use the authentication agent.  In
the untrusted server scenario we've been discussing, this would present a
significant risk, as anyone exploiting access to the authentication agent
could gain any rights normally authorized by demonstration of the keying
material in use.

I.e., suppose you distributed a single identity.pub to a number of hosts
as authorized_key to log in.  Suppose you make use of ssh-agent, and
ssh-add, to cache the keying material for use.  Now suppose one of those
hosts is compromised--for the lifetime of your ssh connection, the cracker
of the compromised host can log into any account on the other hosts using
that authorized_keys.

If we're switching to a model where X11 forwarding is disabled by default
on the client, we should also consider disabling agent forwarding, which
can present a similar and significant risk.

  Robert N M Watson

robert () fledge watson org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]