From: Chuan-kai Lin <cklin@oink.cc.ntu.edu.tw> Subject: #76788: forced ssh agent/X forwarding vulnerability Date: 13 Nov 2000 23:51:35 GMT Message-ID: <[🔎] 8upuq7$jf8$1@www.phys.ntu.edu.tw> cklin> I just saw this in bugtraq this morning, and somebody already cklin> filed a bug against ssh. A patch is available against 2.2.0, cklin> so we probably need to backport it to 1.2.3. As it is heavily cklin> used among security- aware users, we need this one fixed soon. cklin> cklin> -- Chuan-kai Lin Chuan-kai, Thank you for your contribution. I offer advice, hopefully that more than just one person can learn or remember from. Could you please post references or descriptions? Such as: where bugtraq is (for instance, give a site where it can be found); or what forced forwarding vulnerability you may be discussing? In the documentation for (at least one of the versions of) SSH, it says quite plainly and clearly that it is silly to block forwarding of X ports explicitly, so obviously you aren't referring to that, otherwise you would include text responding to the documentation's claims. I don't doubt that you are referring to something, somewhere, out there, but who knows what? I ask that when you post, you do so with multiple windows up so you can make the proper references (and if you don't like windows, then use a good editor like Emacs or vim so you can hold data in multiple registers with all of your reference material, or any multi-buffer editor with a buffer for notes for inclusion, or use pen and paper). As an example, a rewrite of your message: What I did here is include an excerpt USENET-style for one of the references: --- [From bugtraq-D@LISTSERV.LISTS-IN-THE-SKY.ORG Digest Issue #23.4 mirrored at http://bugtraq.lists-in-the-sky.org/76788/] >From Message-ID <bugtraq-D-23.4-IBMVMS-LISTSERV@Lists-In-The-Sky.Org>: " " Subject: #76788: forced ssh agent/X forwarding vulnerability " " In SSH, many paranoid system administrators are worried that " people using their computers may be a security risk. Security " experts have been telling them for decades that this is the " case, since, as any good Vulvan would tell them, this is logically " so. They forgot to mention that there has to be a balance [the rest I edited out since it is not important to me.] I just saw the above in bugtraq this morning, and somebody already filed a patch against SSH to fix this supposed bug: the patch is available at http://bugtraq.lists-in-the-sky.org/76788/patch1.patch against SSH.FI's commercial version 2.2.0, so we probably need to backport it to SSH.FI's non-commercial version 1.2.3 which is used in Debian. As the patch is heavily used among security-aware users (which I found out psychically), we need this bug fixed immediately. If we had been using OpenBSD, this would have never been a problem, since it is turned off by default. In fact, OpenBSD isn't even installed by anybody, so it really isn't a problem. But, just in case someone actually decides to turn a computer on, they ought to realize there is an alternative to SSH.FI's SSH version, based on RFCs. OpenBSD produces an SSH which can be used under Linux without significant encumberment called OpenSSH (available from http://www.openssh.com/), and I have had good experience finding it to work after installing it under Linux. Since I'm still totally paranoid, I also need to know if there is a patch for disabling a very important feature of SSH so that OpenSSH can also refuse X forwarding, or whatever it is that I was saying above consistently here. Also check out http://www.freessh.org/ for other versions of SSH; I didn't check, but there may be versions there that will run under Debian. Actually, the documentation to SSH-FOO-version-4.3.4 says quite plainly in the manual page that the above bug report is not a security violation, but there is a good description of how this may not be the case at http://home.cableandtimestar.net/~myhome/ssh_X_forwarding_security_implications_reviewed.txt. ----- End example. Sorry, I was a bit sarcastic, but I did just come out of English class, and I think it is not necessarily the English that is wrong, but the principles of description and honest reference (unless that is an English trait *cough* [as a genetic Irish American I don't think so, unless it's that the rest of the world is *worse*]) -- I think you generally excellent computer people from TW could understand that, and I truely write this in the spirit of helping critique for further advancement of quality within the contributed software realm. Brad Allen <ulmo@q.net>
Attachment:
pgp9oe2CySl7B.pgp
Description: PGP signature