Bug#509229: openssh-client: ssh-agent man page describes wrong (and insecure) forwarding behavior

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#509229: openssh-client: ssh-agent man page describes wrong (and insecure) forwarding behavior
From: Greg Price <price@MIT.EDU>
Date: Fri, 19 Dec 2008 18:21:29 -0500
Message-id: <[🔎] 20081219232129.24005.17016.reportbug@vinegar-pot.mit.edu>
Reply-to: Greg Price <price@MIT.EDU>, 509229@bugs.debian.org

Package: openssh-client
Version: 1:4.3p2-9etch3
Severity: normal
Tags: patch


The man page ssh-agent(1) says,

"""Authentication data need not be stored on any other machine, and
authentication passphrases never go over the network.  However, the
connection to the agent is forwarded over SSH remote logins, and the
user can thus use the privileges given by the identities anywhere in
the network in a secure way."""

This is not true, and would be a serious security problem if it were
-- a compromise on the remote host could employ the user's privileges
to connect elsewhere.  In fact, no such connection is forwarded unless
the user specifically asks for it with the -A option to ssh.

The patch below fixes this error.

Cheers,
Greg



--- ssh-agent.1~        2008-12-19 18:12:40.000000000 -0500
+++ ssh-agent.1 2008-12-19 18:15:02.000000000 -0500
@@ -129,8 +129,10 @@
 terminal.
 Authentication data need not be stored on any other
 machine, and authentication passphrases never go over the network.
-However, the connection to the agent is forwarded over SSH
-remote logins, and the user can thus use the privileges given by the
+However, with
+.Cm ssh -A
+the connection to the agent may be forwarded over SSH remote logins,
+so that the user can use the privileges given by the
 identities anywhere in the network in a secure way.
 .Pp
 There are two main ways to get an agent set up:


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24.5
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages openssh-client depends on:
ii  add 3.102                                Add and remove users and groups
ii  deb 1.5.11etch2                          Debian configuration management sy
ii  dpk 1.13.25                              package maintenance system for Deb
ii  lib 2.3.6.ds1-13etch7                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 2.9.cvs.20050518-2.2                 BSD editline and history libraries
ii  lib 1.4.4-7etch6                         MIT Kerberos runtime libraries
ii  lib 5.5-5                                Shared libraries for terminal hand
ii  lib 0.9.8c-4etch3                        SSL shared libraries
ii  pas 1:4.0.18.1-7                         change and administer password and
ii  zli 1:1.2.3-13                           compression library - runtime

openssh-client recommends no packages.

-- no debconf information

Reply to:

Prev by Date: Bug#509055: submitted upstream
Next by Date: Bug#509443: runtime control of maximum bandwidth
Previous by thread: Bug#509055: submitted upstream
Next by thread: Bug#509443: runtime control of maximum bandwidth
Index(es):
- Date
- Thread