On Sat, 26 Feb 2000, David Pybus wrote: > The issue here has nothing to do with xauth and everything to do with the > trust granted by SSH. If you use SSH to connect to boxes that you don't > trust or can't be confident are secure then you should be concerned about > this. The major threat I see here is that a rooted box could be used to gain > access to a secure box through the SSH tunnel, even if the secure box is > behind a firewall that only allows outbound connections. Since we're discussing problems with the default SSH/OpenSSH trust model, and X11 is now considered to be risky, we might as well follow on to the natural successor in the ``disable it due to safety'' world--the automatic forwarding of access to the authentication agent. By default, if you make use of the authentication agent for key management, any host you connect to will gain access to the ability to use the authentication agent. In the untrusted server scenario we've been discussing, this would present a significant risk, as anyone exploiting access to the authentication agent could gain any rights normally authorized by demonstration of the keying material in use. I.e., suppose you distributed a single identity.pub to a number of hosts as authorized_key to log in. Suppose you make use of ssh-agent, and ssh-add, to cache the keying material for use. Now suppose one of those hosts is compromised--for the lifetime of your ssh connection, the cracker of the compromised host can log into any account on the other hosts using that authorized_keys. If we're switching to a model where X11 forwarding is disabled by default on the client, we should also consider disabling agent forwarding, which can present a similar and significant risk. Robert N M Watson robertat_private http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:25 PDT