[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#803318: openssh-client: trusted X11 always on by default with -X, ssh_config -Y default misleading

Package: openssh-client
Version: 1:6.7p1-5
Severity: important

/etc/ssh/ssh_config lists default "ForwardX11 no" and "ForwardX11Trusted yes".

So, `ssh -X` is actually equivalent to `ssh -X -Y` without telling the user.

The default should be "ForwardX11Trusted no" else the -Y option is essentially
meaningless.  This is very misleading because users will think that because
the -Y option is a positive affirmation, that it is normally not set by default
when using the -X option.

This could lead to compromise of the client host when connecting to an untrusted
server, such as an employer with malicious practices or whose server
is compromised.

The following checks demonstrate that the default settings allow a trusted
connection, implicit -Y when using -X.  `xwd` generates a 13M file with the
default settings, but does not work when "ForwardX11Trusted no" is set in
/etc/ssh/ssh_config.

======================================
hedges@peanut ~
2015-10-28 10:40:11 -0700 Wed $ grep -E '(ForwardX11|^Host)' /etc/ssh/ssh_config
Host *
#   ForwardX11 no
#   ForwardX11Trusted yes

hedges@peanut ~
2015-10-28 10:40:16 -0700 Wed $ ssh -X localhost xwd -root > /tmp/test.xwd

hedges@peanut ~
2015-10-28 10:40:28 -0700 Wed $ ls -lah /tmp/test.xwd
-rw-r--r-- 1 hedges hedges 13M Oct 28 10:40 /tmp/test.xwd

hedges@peanut ~
2015-10-28 10:40:33 -0700 Wed $ sudo vi /etc/ssh/ssh_config

hedges@peanut ~
2015-10-28 10:40:46 -0700 Wed $ grep -E '(ForwardX11|^Host)' /etc/ssh/ssh_config
Host *
ForwardX11Trusted no
#   ForwardX11 no
#   ForwardX11Trusted yes

hedges@peanut ~
2015-10-28 10:40:50 -0700 Wed $ ssh -X localhost xwd -root > /tmp/test.xwd

hedges@peanut ~
2015-10-28 10:40:53 -0700 Wed $ ls -lah /tmp/test.xwd
-rw-r--r-- 1 hedges hedges 0 Oct 28 10:40 /tmp/test.xwd
======================================

This should be considered a security risk since the documentation is misleading.

Yes, changing the default will break client script where they use `ssh -X` and
it happens to work only because -Y is implicit but they didn't know that.
Those users will have to add -Y to their scripts.

Thank you.
Mark Hedges

Default /etc/ssh/ssh_config:

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.17.25
ii  libc6             2.19-18+deb8u1
ii  libedit2          3.1-20140620-2
ii  libgssapi-krb5-2  1.12.1+dfsg-19
ii  libselinux1       2.3-2
ii  libssl1.0.0       1.0.1k-3+deb8u1
ii  passwd            1:4.2-3
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information
Reply to: