Date: Tue, 29 Feb 2000 09:03:34 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Mark Murray <mark@grondar.za> Cc: "Daniel O'Connor" <doconnor@gsoft.com.au>, cvs-all@FreeBSD.org, cvs-committers@FreeBSD.org, Mark Murray <markm@FreeBSD.org> Subject: Re: cvs commit: src/crypto/openssh auth-krb5.c auth-krb4.c auth- Message-ID: <Pine.NEB.3.96L.1000229085205.42383A-100000@fledge.watson.org> In-Reply-To: <200002290616.IAA29118@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 29 Feb 2000, Mark Murray wrote:
> >
> > On 28-Feb-00 Mark Murray wrote:
> > > At the moment, X11 forwarding is ON. I saw a convincing argument
> > > on bugtraq today for turning it off.
> >
> > Care to share? I don't subscribe and I can't find an up to date archive :(
> > (securityfocus is lagged a few days ):
>
> If you have forwarding on, you run xauth on the other side. It's
> eas{y|ier} to compromise that, and attack X with tunnelling. (In
> a nutshell).
Actually, as I pointed out on bugtraq, this is old news, and that xauth is
really sort of spurious to the whole thing. The real problem is that when
X11 forwarding is enabled in the client, whatever sits on the other side
of the connection is trusted with complete access to the display, for the
lifetime of the connection.
So essentially, by forwarding X11 by default, you are assuming that every
host you connect to is ``trusted''. In the real world, this is not the
case--the source and destination host should not become equivilent as a
result of your logging into the destination--they are often in different
security domains. With SSH, it is necessary that security equivilence be
transitive in one direction for the lifetime of the connection, as the
client host clearly has access to the connection.
The same goes for SSH agent forwarding--defaulting to forwarding on means
that any host you log into gains access to use your keying material for
its own uses, for the lifetime of the connection. For example, suppose I
use the same public RSA key for logging into freebsd.org, safeport.com,
and watson.org. If any one of those is compromised (or less trustworthy),
all accounts will be compromised.
Of particular interest is that the OpenSSH people disabled X11
forwarding--in the server, and not the client. If you are going to
disable it, you should be disabling it on the side where risk is
assumed--the client :-). This was fixed in a recent OpenBSD commit. Last
I checked, the fix to cover agent forwarding had not yet been committed.
Robert N M Watson
robert@fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000229085205.42383A-100000>