[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: #76788: forced ssh agent/X forwarding vulnerability

From: Chuan-kai Lin <cklin@oink.cc.ntu.edu.tw>
Subject: #76788: forced ssh agent/X forwarding vulnerability
Date: 13 Nov 2000 23:51:35 GMT
Message-ID: <[🔎] 8upuq7$jf8$1@www.phys.ntu.edu.tw>

cklin> I just saw this in bugtraq this morning, and somebody already
cklin> filed a bug against ssh.  A patch is available against 2.2.0,
cklin> so we probably need to backport it to 1.2.3.  As it is heavily
cklin> used among security- aware users, we need this one fixed soon.
cklin> -- Chuan-kai Lin


Thank you for your contribution.  I offer advice, hopefully that
more than just one person can learn or remember from.

Could you please post references or descriptions?  Such as: where
bugtraq is (for instance, give a site where it can be found); or what
forced forwarding vulnerability you may be discussing?  In the
documentation for (at least one of the versions of) SSH, it says quite
plainly and clearly that it is silly to block forwarding of X ports
explicitly, so obviously you aren't referring to that, otherwise you
would include text responding to the documentation's claims.

I don't doubt that you are referring to something, somewhere, out
there, but who knows what?  I ask that when you post, you do so with
multiple windows up so you can make the proper references (and if you
don't like windows, then use a good editor like Emacs or vim so you
can hold data in multiple registers with all of your reference
material, or any multi-buffer editor with a buffer for notes for
inclusion, or use pen and paper).

As an example, a rewrite of your message:  What I did here is include
an excerpt USENET-style for one of the references:


[From bugtraq-D@LISTSERV.LISTS-IN-THE-SKY.ORG Digest Issue #23.4
mirrored at http://bugtraq.lists-in-the-sky.org/76788/]

>From Message-ID <bugtraq-D-23.4-IBMVMS-LISTSERV@Lists-In-The-Sky.Org>:
" Subject:  #76788: forced ssh agent/X forwarding vulnerability
" In SSH, many paranoid system administrators are worried that
" people using their computers may be a security risk.  Security
" experts have been telling them for decades that this is the
" case, since, as any good Vulvan would tell them, this is logically
" so.  They forgot to mention that there has to be a balance
[the rest I edited out since it is not important to me.]

I just saw the above in bugtraq this morning, and somebody already
filed a patch against SSH to fix this supposed bug: the patch is
available at http://bugtraq.lists-in-the-sky.org/76788/patch1.patch
against SSH.FI's commercial version 2.2.0, so we probably
need to backport it to SSH.FI's non-commercial version 1.2.3 which is
used in Debian.  As the patch is heavily used among security-aware
users (which I found out psychically), we need this bug fixed

If we had been using OpenBSD, this would have never been a problem,
since it is turned off by default.  In fact, OpenBSD isn't even
installed by anybody, so it really isn't a problem.  But, just in case
someone actually decides to turn a computer on, they ought to realize
there is an alternative to SSH.FI's SSH version, based on RFCs.
OpenBSD produces an SSH which can be used under Linux without
significant encumberment called OpenSSH (available from
http://www.openssh.com/), and I have had good experience finding it to
work after installing it under Linux.  Since I'm still totally
paranoid, I also need to know if there is a patch for disabling a very
important feature of SSH so that OpenSSH can also refuse X forwarding,
or whatever it is that I was saying above consistently here.  Also
check out http://www.freessh.org/ for other versions of SSH; I didn't
check, but there may be versions there that will run under Debian.

Actually, the documentation to SSH-FOO-version-4.3.4 says quite
plainly in the manual page that the above bug report is not a security
violation, but there is a good description of how this may not be the
case at


End example.  Sorry, I was a bit sarcastic, but I did just come out of
English class, and I think it is not necessarily the English that is
wrong, but the principles of description and honest reference (unless
that is an English trait *cough* [as a genetic Irish American I don't
think so, unless it's that the rest of the world is *worse*]) -- I
think you generally excellent computer people from TW could understand
that, and I truely write this in the spirit of helping critique for
further advancement of quality within the contributed software realm.

Brad Allen

Attachment: pgp9oe2CySl7B.pgp
Description: PGP signature

Reply to: