Bug#1014359: openssh-server: DisableForwarding does not override AllowAgentForwarding and X11Forwarding

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1014359: openssh-server: DisableForwarding does not override AllowAgentForwarding and X11Forwarding
From: Clive Standbridge <HNAS-noreply@hitachivantara.com>
Date: Mon, 4 Jul 2022 21:33:35 +0100
Message-id: <[🔎] 165696681549.86318.10744614019069981784.reportbug@cas-bullseye.dev.bluearc.com>
Reply-to: Clive Standbridge <HNAS-noreply@hitachivantara.com>, 1014359@bugs.debian.org

Package: openssh-server
Version: 1:8.4p1-5
Severity: normal
X-Debbugs-Cc: clive.standbridge@hitachivantara.com


sshd_config(5) states:
     DisableForwarding
             Disables all forwarding features, including X11, ssh-agent(1),
             TCP and StreamLocal.  This option overrides all other forwarding-
             related options and may simplify restricted configurations.

In practice, DisableForwarding seems to work for TCP and StreamLocal forwarding but has no effect on X Window and ssh-agent forwarding.

-----

To demonstrate with three bullseye machines...

Set up a key pair with a non-empty passphrase:

luser@cas-bullseye:~$ ssh-keygen -q -f .ssh/fwd-test-key
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
luser@cas-bullseye:~$ 

Copy the public key to each of two destinations (using password authentication):

luser@cas-bullseye:~$ ssh-copy-id -i .ssh/fwd-test-key.pub deb2-cas
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/fwd-test-key.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
luser@deb2-cas's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'deb2-cas'"
and check to make sure that only the key(s) you wanted were added.

luser@cas-bullseye:~$ ssh-copy-id -i .ssh/fwd-test-key.pub deb3-cas
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/fwd-test-key.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
luser@deb3-cas's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'deb3-cas'"
and check to make sure that only the key(s) you wanted were added.

-----

Confirm that password-free login to each destination works using ssh-agent:

luser@cas-bullseye:~$ ssh-agent bash
luser@cas-bullseye:~$ ssh-add .ssh/fwd-test-key
Enter passphrase for .ssh/fwd-test-key: 
Identity added: .ssh/fwd-test-key (luser@cas-bullseye)
luser@cas-bullseye:~$ ssh deb2-cas hostname
deb2-cas
luser@cas-bullseye:~$ ssh deb3-cas hostname
deb3-cas

-----

With the default ssh server configuration, both agent forwarding and X forwarding succeeded as expected:

root@deb2-cas:~# sshd -T |grep -i forward
x11forwarding yes
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding no
allowstreamlocalforwarding yes

luser@cas-bullseye:~$ ssh -A -t deb2-cas ssh deb3-cas hostname
deb3-cas
Connection to deb2-cas closed.

luser@cas-bullseye:~$ ssh -X deb2-cas xlogo; echo exit code was $?
/usr/bin/xauth:  file /opt/home/luser/.Xauthority does not exist
exit code was 0

(xlogo was displayed and ssh exited after I closed it.)

-----

Now with "DisableForwarding yes" set in /etc/ssh/sshd_config.d/temp.conf, sshd restarted, both agent forwarding and X forwarding still worked. That was unexpected:

root@deb2-cas:~# sshd -T |grep -i forward
x11forwarding yes
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding yes
allowstreamlocalforwarding yes

luser@cas-bullseye:~$ ssh -A -t deb2-cas ssh deb3-cas hostname
deb3-cas
Connection to deb2-cas closed.

luser@cas-bullseye:~$ ssh -X deb2-cas xlogo; echo exit code was $?
exit code was 0

(Again, xlogo was displayed and ssh exited after I closed it.)

-----

I had to disable agent forwarding and X forwarding individually to inhibit those features:

root@deb2-cas:~# sshd -T |grep -i forward
x11forwarding no
allowtcpforwarding yes
allowagentforwarding no
disableforwarding no
allowstreamlocalforwarding yes

The forwarded login fell back to password authentication:

luser@cas-bullseye:~$ ssh -A -t deb2-cas ssh deb3-cas hostname
luser@deb3-cas's password: 
deb3-cas
Connection to deb2-cas closed.

and xlogo was not displayed:

luser@cas-bullseye:~$ ssh -X deb2-cas xlogo; echo exit code was $?
X11 forwarding request failed on channel 0
Error: Can't open display: 
exit code was 1

-----

I will attach disableforwarding-fix-bullseye.patch which seems to fix both problems.


-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-15-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.77
ii  dpkg                   1.20.10
ii  libaudit1              1:3.0-2
ii  libc6                  2.31-13+deb11u3
ii  libcom-err2            1.46.2-2
ii  libcrypt1              1:4.4.18-4
ii  libgssapi-krb5-2       1.18.3-6+deb11u1
ii  libkrb5-3              1.18.3-6+deb11u1
ii  libpam-modules         1.4.0-9+deb11u1
ii  libpam-runtime         1.4.0-9+deb11u1
ii  libpam0g               1.4.0-9+deb11u1
ii  libselinux1            3.1-3
ii  libssl1.1              1.1.1n-0+deb11u3
ii  libsystemd0            247.3-7
ii  libwrap0               7.6.q-31
ii  lsb-base               11.1.0
ii  openssh-client         1:8.4p1-5
ii  openssh-sftp-server    1:8.4p1-5
ii  procps                 2:3.3.17-5
ii  runit-helper           2.10.3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2+deb11u1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  247.3-7
ii  ncurses-term             6.2+20201114-2
ii  xauth                    1:1.1-1

Versions of packages openssh-server suggests:
ii  molly-guard   0.7.2
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/permit-root-login: true
  openssh-server/password-authentication: true

--- openssh-8.4p1.orig-package/session.c	2022-07-04 17:10:25.000000000 +0100
+++ openssh-8.4p1/session.c	2022-07-04 17:21:14.865286957 +0100
@@ -2196,7 +2196,8 @@
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 	if (!auth_opts->permit_agent_forwarding_flag ||
-	    !options.allow_agent_forwarding) {
+	    !options.allow_agent_forwarding ||
+	    options.disable_forwarding) {
 		debug("%s: agent forwarding disabled", __func__);
 		return 0;
 	}
@@ -2584,7 +2585,8 @@
 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
 		return 0;
 	}
-	if (!options.x11_forwarding) {
+	if (!options.x11_forwarding ||
+	options.disable_forwarding) {
 		debug("X11 forwarding disabled in server configuration file.");
 		return 0;
 	}

Reply to:

Prev by Date: openssh_8.4p1-5+deb11u1_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by Date: Bug#946180: Same problem in openssh-server 1:8.4p1-5+deb11u1
Previous by thread: openssh_8.4p1-5+deb11u1_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by thread: Bug#946180: Same problem in openssh-server 1:8.4p1-5+deb11u1
Index(es):
- Date
- Thread