Bug#1014359: openssh-server: DisableForwarding does not override AllowAgentForwarding and X11Forwarding
Package: openssh-server
Version: 1:8.4p1-5
Severity: normal
X-Debbugs-Cc: clive.standbridge@hitachivantara.com
sshd_config(5) states:
DisableForwarding
Disables all forwarding features, including X11, ssh-agent(1),
TCP and StreamLocal. This option overrides all other forwarding-
related options and may simplify restricted configurations.
In practice, DisableForwarding seems to work for TCP and StreamLocal forwarding but has no effect on X Window and ssh-agent forwarding.
-----
To demonstrate with three bullseye machines...
Set up a key pair with a non-empty passphrase:
luser@cas-bullseye:~$ ssh-keygen -q -f .ssh/fwd-test-key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
luser@cas-bullseye:~$
Copy the public key to each of two destinations (using password authentication):
luser@cas-bullseye:~$ ssh-copy-id -i .ssh/fwd-test-key.pub deb2-cas
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/fwd-test-key.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
luser@deb2-cas's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'deb2-cas'"
and check to make sure that only the key(s) you wanted were added.
luser@cas-bullseye:~$ ssh-copy-id -i .ssh/fwd-test-key.pub deb3-cas
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/fwd-test-key.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
luser@deb3-cas's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'deb3-cas'"
and check to make sure that only the key(s) you wanted were added.
-----
Confirm that password-free login to each destination works using ssh-agent:
luser@cas-bullseye:~$ ssh-agent bash
luser@cas-bullseye:~$ ssh-add .ssh/fwd-test-key
Enter passphrase for .ssh/fwd-test-key:
Identity added: .ssh/fwd-test-key (luser@cas-bullseye)
luser@cas-bullseye:~$ ssh deb2-cas hostname
deb2-cas
luser@cas-bullseye:~$ ssh deb3-cas hostname
deb3-cas
-----
With the default ssh server configuration, both agent forwarding and X forwarding succeeded as expected:
root@deb2-cas:~# sshd -T |grep -i forward
x11forwarding yes
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding no
allowstreamlocalforwarding yes
luser@cas-bullseye:~$ ssh -A -t deb2-cas ssh deb3-cas hostname
deb3-cas
Connection to deb2-cas closed.
luser@cas-bullseye:~$ ssh -X deb2-cas xlogo; echo exit code was $?
/usr/bin/xauth: file /opt/home/luser/.Xauthority does not exist
exit code was 0
(xlogo was displayed and ssh exited after I closed it.)
-----
Now with "DisableForwarding yes" set in /etc/ssh/sshd_config.d/temp.conf, sshd restarted, both agent forwarding and X forwarding still worked. That was unexpected:
root@deb2-cas:~# sshd -T |grep -i forward
x11forwarding yes
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding yes
allowstreamlocalforwarding yes
luser@cas-bullseye:~$ ssh -A -t deb2-cas ssh deb3-cas hostname
deb3-cas
Connection to deb2-cas closed.
luser@cas-bullseye:~$ ssh -X deb2-cas xlogo; echo exit code was $?
exit code was 0
(Again, xlogo was displayed and ssh exited after I closed it.)
-----
I had to disable agent forwarding and X forwarding individually to inhibit those features:
root@deb2-cas:~# sshd -T |grep -i forward
x11forwarding no
allowtcpforwarding yes
allowagentforwarding no
disableforwarding no
allowstreamlocalforwarding yes
The forwarded login fell back to password authentication:
luser@cas-bullseye:~$ ssh -A -t deb2-cas ssh deb3-cas hostname
luser@deb3-cas's password:
deb3-cas
Connection to deb2-cas closed.
and xlogo was not displayed:
luser@cas-bullseye:~$ ssh -X deb2-cas xlogo; echo exit code was $?
X11 forwarding request failed on channel 0
Error: Can't open display:
exit code was 1
-----
I will attach disableforwarding-fix-bullseye.patch which seems to fix both problems.
-- System Information:
Debian Release: 11.3
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-15-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.77
ii dpkg 1.20.10
ii libaudit1 1:3.0-2
ii libc6 2.31-13+deb11u3
ii libcom-err2 1.46.2-2
ii libcrypt1 1:4.4.18-4
ii libgssapi-krb5-2 1.18.3-6+deb11u1
ii libkrb5-3 1.18.3-6+deb11u1
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpam0g 1.4.0-9+deb11u1
ii libselinux1 3.1-3
ii libssl1.1 1.1.1n-0+deb11u3
ii libsystemd0 247.3-7
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii openssh-client 1:8.4p1-5
ii openssh-sftp-server 1:8.4p1-5
ii procps 2:3.3.17-5
ii runit-helper 2.10.3
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2+deb11u1
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 247.3-7
ii ncurses-term 6.2+20201114-2
ii xauth 1:1.1-1
Versions of packages openssh-server suggests:
ii molly-guard 0.7.2
pn monkeysphere <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/permit-root-login: true
openssh-server/password-authentication: true
--- openssh-8.4p1.orig-package/session.c 2022-07-04 17:10:25.000000000 +0100
+++ openssh-8.4p1/session.c 2022-07-04 17:21:14.865286957 +0100
@@ -2196,7 +2196,8 @@
if ((r = sshpkt_get_end(ssh)) != 0)
sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
if (!auth_opts->permit_agent_forwarding_flag ||
- !options.allow_agent_forwarding) {
+ !options.allow_agent_forwarding ||
+ options.disable_forwarding) {
debug("%s: agent forwarding disabled", __func__);
return 0;
}
@@ -2584,7 +2585,8 @@
ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
return 0;
}
- if (!options.x11_forwarding) {
+ if (!options.x11_forwarding ||
+ options.disable_forwarding) {
debug("X11 forwarding disabled in server configuration file.");
return 0;
}
Reply to: