Bug#509229: openssh-client: ssh-agent man page describes wrong (and insecure) forwarding behavior
Package: openssh-client
Version: 1:4.3p2-9etch3
Severity: normal
Tags: patch
The man page ssh-agent(1) says,
"""Authentication data need not be stored on any other machine, and
authentication passphrases never go over the network. However, the
connection to the agent is forwarded over SSH remote logins, and the
user can thus use the privileges given by the identities anywhere in
the network in a secure way."""
This is not true, and would be a serious security problem if it were
-- a compromise on the remote host could employ the user's privileges
to connect elsewhere. In fact, no such connection is forwarded unless
the user specifically asks for it with the -A option to ssh.
The patch below fixes this error.
Cheers,
Greg
--- ssh-agent.1~ 2008-12-19 18:12:40.000000000 -0500
+++ ssh-agent.1 2008-12-19 18:15:02.000000000 -0500
@@ -129,8 +129,10 @@
terminal.
Authentication data need not be stored on any other
machine, and authentication passphrases never go over the network.
-However, the connection to the agent is forwarded over SSH
-remote logins, and the user can thus use the privileges given by the
+However, with
+.Cm ssh -A
+the connection to the agent may be forwarded over SSH remote logins,
+so that the user can use the privileges given by the
identities anywhere in the network in a secure way.
.Pp
There are two main ways to get an agent set up:
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24.5
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages openssh-client depends on:
ii add 3.102 Add and remove users and groups
ii deb 1.5.11etch2 Debian configuration management sy
ii dpk 1.13.25 package maintenance system for Deb
ii lib 2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 2.9.cvs.20050518-2.2 BSD editline and history libraries
ii lib 1.4.4-7etch6 MIT Kerberos runtime libraries
ii lib 5.5-5 Shared libraries for terminal hand
ii lib 0.9.8c-4etch3 SSL shared libraries
ii pas 1:4.0.18.1-7 change and administer password and
ii zli 1:1.2.3-13 compression library - runtime
openssh-client recommends no packages.
-- no debconf information
Reply to: