Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH / X11 auth: needless complexity -> security problems?
From: Markus Friedl <mfriedl () genua de>
Date: Wed, 6 Jun 2001 10:11:18 +0200

On Tue, Jun 05, 2001 at 03:21:32PM -0400, Peter W wrote:
As for the patches that are more careful when creating 
/tmp/ssh-XXXXXXXX/cookies -- isn't there still an assumption that 
/tmp/ssh-XXXXXXXX/cookies won't be removed before the ssh session ends?

no. sshd did switch uid/groups before creating the dir and the file,
but did not when deleting them. the same applies to agent forwarding.

then don't 
you have another attack vector -- regardless of how careful you were when 
creating the cookies file & its parent directory?

no, i don't think so.

It seems to me this whole xauthority business may be adding complexity for
no good reason. Since the DISPLAY name changes, and an Xauthority file can
hold multiple X cookie credentials, is there any good reason why OpenSSH
need to make, and then, wipe out, a special xauthority file? why it can't
just add credentials to the default xauthority file? Wouldn't that be 
simpler and, almost by definition, more secure? If you really want to be 
polite/clean, you can use the xauth "remove" command to purge the cookie 
from ~/.Xauthority

this feature was inherited from ossh and the reason was:
        1) if $HOME is on NFS, then the cookie travels unencrypted
           over the network, this defeats the purpose of X11-fwding
        2) $HOME/.Xauthority gets polluted with temorary cookies.
however, i'm not sure whether the benefit justifies the complexity,
so this feature could be removed from future OpenSSH versions.

on the other hand, the same problem applies to the agent socket, and
I won't remove the agent code: you can delete all files named
agent.$pid on the system ($pid is the pid of the forked sshd process).


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]