From owner-freebsd-security Mon Jan 3 5:21:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 62C4F152E3; Mon, 3 Jan 2000 05:21:22 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id OAA08288; Mon, 3 Jan 2000 14:20:52 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA06485; Mon, 3 Jan 2000 14:20:51 +0100 (MET) Date: Mon, 3 Jan 2000 14:20:51 +0100 From: Eivind Eklund To: Damien Miller Cc: Brian Fundakowski Feldman , security@FreeBSD.ORG, openssh-unix-dev@mindrot.org Subject: Re: OpenSSH protocol 1.6 proposal Message-ID: <20000103142050.B6173@bitbox.follo.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from djm@mindrot.org on Mon, Jan 03, 2000 at 07:30:58PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 03, 2000 at 07:30:58PM +1100, Damien Miller wrote: > Apart from standards-compliance, what does SSH2 buy you over a cleaned > up SSH1? Functional support for challenge/response authentication, at least. When I looked, I could not find any good way to add this to the 1.x protocol. I think it still doesn't fix my biggest beef with ssh, though: Agent forwarding. The implementation of this in SSH essensially gives out access for all your accounts to all machines you log into with * no logs * no way of restricting who gets authenticated (beyond turning a-f off) * no way for the machine having the original authentication to verify who is asking for authentication and for what purpose (where to log into) * a default of sending out agent forwarding * no way to change the default and still selectively forward The patches for the latter two problems are trivial; I'm including them below for completeness. Fixing the other problems is not as easy (it require a bit of thought and several orders of magnitude more coding); if anybody wants to do this, contact me and I'll send you an outline for how get a reasonable implementation, including backwards compatibility (allows the enhancements to be used securely even when forwarding through servers that have not got support for the enhancements.) Eivind. Central patch, to make it possible to selectively enable agent forwarding: --- ssh.c.orig Wed May 12 13:19:28 1999 +++ ssh.c Sat Nov 6 20:50:55 1999 @@ -280,6 +280,7 @@ fprintf(stderr, " -l user Log in using this user name.\n"); fprintf(stderr, " -n Redirect input from /dev/null.\n"); fprintf(stderr, " -a Disable authentication agent forwarding.\n"); + fprintf(stderr, " -A Enable authentication agent forwarding.\n"); #if defined(KERBEROS_TGT_PASSING) && defined(KRB5) fprintf(stderr, " -k Disable Kerberos ticket passing.\n"); #endif /* defined(KERBEROS_TGT_PASSING) && defined(KRB5) */ @@ -537,6 +538,10 @@ case 'a': options.forward_agent = 0; + break; + + case 'A': + options.forward_agent = 1; break; case 'k': Change the default to the correct (security rule #1: Disable everything, enable what you need.) --- readconf.c.orig Wed May 12 13:19:27 1999 +++ readconf.c Sat Nov 6 20:47:49 1999 @@ -716,7 +716,7 @@ void fill_default_options(Options *options) { if (options->forward_agent == -1) - options->forward_agent = 1; + options->forward_agent = 0; if (options->forward_x11 == -1) options->forward_x11 = 1; if (options->rhosts_authentication == -1) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message