Bug#779069: openssh-server: no way to disable unix domain socket/streamlocal forwarding from authorized_keys

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#779069: openssh-server: no way to disable unix domain socket/streamlocal forwarding from authorized_keys
From: Paul Wise <pabs@debian.org>
Date: Tue, 24 Feb 2015 11:47:18 +0800
Message-id: <[🔎] 1424749638.17940.27.camel@debian.org>
Reply-to: Paul Wise <pabs@debian.org>, 779069@bugs.debian.org

Package: openssh-server
Version: 1:6.7p1-3
Severity: important
Tags: security

As far as I can tell, unix domain socket forwarding is enabled by
default and there is no way to disable it from authorized_keys files.
This means that it might be possible for ssh triggers[1] to do unix
domain socket forwarding, even though they are meant to be restricted to
very limited things. SSH triggers are often restricted to a specific
command, no-agent-forwarding, no-port-forwarding, no-X11-forwarding,
no-pty and I think no-streamlocal-forwarding should be added to that
set. Personally I think this needs to be fixed before the jessie
release, please upgrade the severity to serious if you agree.
The code indicates[2] that this still needs to be completed.

     1. http://blog.ganneff.de/blog/2007/12/29/ssh-triggers.html
     2. https://sources.debian.net/src/openssh/1:6.7p1-3/auth-options.c/?hl=127#L342

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Bug#779068: openssh-client: document that ssh -R and -L can now be used to forward UNIX-domain sockets using the streamlocal stuff
Next by Date: Bug#779068: openssh-client: document that ssh -R and -L can now be used to forward UNIX-domain sockets using the streamlocal stuff
Previous by thread: Bug#779068: openssh-client: document that ssh -R and -L can now be used to forward UNIX-domain sockets using the streamlocal stuff
Index(es):
- Date
- Thread