mailing list archives
Re: SSH / X11 auth: needless complexity -> security problems?
From: Markus Friedl <mfriedl () genua de>
Date: Wed, 6 Jun 2001 10:11:18 +0200
On Tue, Jun 05, 2001 at 03:21:32PM -0400, Peter W wrote:
As for the patches that are more careful when creating
/tmp/ssh-XXXXXXXX/cookies -- isn't there still an assumption that
/tmp/ssh-XXXXXXXX/cookies won't be removed before the ssh session ends?
no. sshd did switch uid/groups before creating the dir and the file,
but did not when deleting them. the same applies to agent forwarding.
you have another attack vector -- regardless of how careful you were when
creating the cookies file & its parent directory?
no, i don't think so.
It seems to me this whole xauthority business may be adding complexity for
no good reason. Since the DISPLAY name changes, and an Xauthority file can
hold multiple X cookie credentials, is there any good reason why OpenSSH
need to make, and then, wipe out, a special xauthority file? why it can't
just add credentials to the default xauthority file? Wouldn't that be
simpler and, almost by definition, more secure? If you really want to be
polite/clean, you can use the xauth "remove" command to purge the cookie
this feature was inherited from ossh and the reason was:
1) if $HOME is on NFS, then the cookie travels unencrypted
over the network, this defeats the purpose of X11-fwding
2) $HOME/.Xauthority gets polluted with temorary cookies.
however, i'm not sure whether the benefit justifies the complexity,
so this feature could be removed from future OpenSSH versions.
on the other hand, the same problem applies to the agent socket, and
I won't remove the agent code: you can delete all files named
agent.$pid on the system ($pid is the pid of the forked sshd process).
nosymfollow Re: SSH allows deletion of other users files... Jan Grant (Jun 08)