Bug#296547: ssh: [CAN-2004-1653] default configuration for OpenSSH enables AllowTcpForwarding

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#296547: ssh: [CAN-2004-1653] default configuration for OpenSSH enables AllowTcpForwarding
From: Micah Anderson <micah@riseup.net>
Date: Wed, 23 Feb 2005 00:41:01 -0600
Message-id: <[🔎] 20050223064101.BBBA63A802@pond>
Reply-to: Micah Anderson <micah@riseup.net>, 296547@bugs.debian.org

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal
Tags: security

Hello,

CAN-2004-1653 reads:

The default configuration for OpenSSH enables AllowTcpForwarding,
which could allow remote authenticated users to perform a port bounce,
when configured with an anonymous access program such as AnonCVS.

If the target system resides behind a firewall, this can allow the
remote user to bypass the firewall.

Impact:  A remote authenticated user can cause the target service to
forward connections to arbitrary ports on arbitrary hosts.

The sshd_config man page reads:

AllowTcpForwarding 
			 Specifies whether TCP forwarding is permitted.  The
			 default is `yes''.  Note that disabling TCP forwarding
			 does not improve security unless users are also denied
			 shell access, as they can always install their own
			 forwarders.

This CAN can be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1653

More information is located here:
http://marc.theaimsgroup.com/?l=bugtraq&m=109413637313484&w=2
http://www.securitytracker.com/alerts/2004/Sep/1011143.html
http://xforce.iss.net/xforce/xfdb/17213

Solution:  Set the default /etc/ssh/sshd_config file to have:

AllowTcpForwarding no

Micah
-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages ssh depends on:
ii  adduser                     3.59         Add and remove users and groups
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  dpkg                        1.10.26      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7e-2     SSL shared libraries
ii  libwrap0                    7.6.dbs-6    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.2-3    compression library - runtime

-- debconf information excluded

Reply to:

Prev by Date: Bug#296487: ssh-askpass-gnome: Obscured ssh-askpass dialog
Next by Date: Bug#296559: remote ssh login fails unless .xauthority file exists
Previous by thread: Bug#296487: ssh-askpass-gnome: Obscured ssh-askpass dialog
Next by thread: Bug#296559: remote ssh login fails unless .xauthority file exists
Index(es):
- Date
- Thread