openssh bugs - Oct 2018 - [Bug 2912] New: ssh keeps connection open to ssh-agent for lifetime of connection

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

            Bug ID: 2912
           Summary: ssh keeps connection open to ssh-agent for lifetime of
                    connection
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: anakin at pobox.com

When ssh authenticates to a server using ssh-agent, it seems to open a
single socket to talk to the agent, and cache it so that it can keep
using the same socket for all agent requests needed during the userauth
phase.

At the end of the userauth phase, it doesn't close that socket. So the
ssh client program continues to have a connection open to the
authentication agent for the entire lifetime of the SSH session, even
if that session is not doing agent forwarding.

I can't think of any reason why that agent connection is still useful
after userauth finishes, and leaving it open is mildly inconvenient in
the following scenario (which is how I noticed it):

* ssh from host A to host B, with agent forwarding
* on host B, run tmux or GNU screen
* inside the screen, ssh from host B to host C (without agent
forwarding), authenticating via the agent forwarded from A
* detach the tmux session from the terminal and attempt to log out of
host B, leaving the ssh from B to C still running inside tmux

In this situation, the ssh client on A does not terminate when the
"session" channel closes, because there's still another channel
open,
namely the connection to ssh-agent on A forwarded from the ssh client
running on B. If ssh on B had closed its agent connection once the
userauth phase had finished, this would all work fine.

But aside from the mild inconvenience, is it possible that this might
also be (slightly) relevant to security? It's not a vulnerability in
its own right, but if an attacker *were* to subvert the SSH client
through the connection protocol in some way, it would be better if it
wasn't holding an unnecessary high-value resource such as a trusted
socket to a signing agent. Closing such a socket once it's no longer
needed seems to me like another application of the same principle of
safety as dropping privilege on the server side.

(Observed on ssh 7.4p1 on Debian, 7.6p1 on Ubuntu 18.04, and commit
a46ac4d86 in the repository at
https://github.com/openssh/openssh-portable.)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org
             Status|NEW                         |ASSIGNED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3189
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3189&action=edit
close agent socket after authentication

It's supposed to close the agent socket, but it wasn't happening
because of a bug. Here's a fix.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2893


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2893
[Bug 2893] Tracking bug for 7.9 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2893                        |2915


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2893
[Bug 2893] Tracking bug for 7.9 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
   Attachment #3189|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 3189
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3189
close agent socket after authentication

The problem here is that pubkey_prepare() was setting
authctxt.agent_fd, but it was then being clobbered by the subsequent
authctxt preparation in ssh_userauth2().

The fix moves the pubkey_prepare() call down to after the preparation
of authctxt is complete and also adds some cleanup of agent_fd after it
is closed.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3189|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
fix is committed and will be in openssh-8.0. Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Closing all resolved bug with release of openssh-8.2

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2912

Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ahmedsayeed1982 at yahoo.com

--- Comment #5 from Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> ---
However, this isn't a trivial change.
http://www-look-4.com/category/property/  So to fix the known issue
quickly
    (including in the gdb 10 branch), this patch just disables all
    dwarf2_per_bfd sharing for objfiles using READNOW.
https://www.webb-dev.co.uk/category/sports/

    Generalize the gdb.base/index-cache-load-twice.exp test to test all
    the possible combinations of loading
https://komiya-dental.com/category/sports/ a file with partial symtabs,
index
    and readnow.  Move it to
http://www.iu-bloomington.com/category/sports/ gdb.dwarf2, since it
really exercises features
    of the DWARF reader https://waytowhatsnext.com/category/sports/
However, this isn't a trivial change.  So to fix the known issue
quickly
    (including in the gdb 10 branch), this patch just disables all
http://www.wearelondonmade.com/category/property/ 
    dwarf2_per_bfd sharing for objfiles using READNOW.
    http://www.jopspeech.com/category/property/
    Generalize the gdb.base/index-cache-load-twice.exp test to test all
    the possible combinations of loading a file
http://joerg.li/category/property/  with partial symtabs, index
    and readnow.  Move it to gdb.dwarf2, since it really exercises
features http://connstr.net/category/property/ 
    of the DWARF reader
However, this isn't a trivial change.
http://embermanchester.uk/category/property/  So to fix the known issue
quickly
    (including in the gdb 10 branch), this patch just disables all
http://www.slipstone.co.uk/category/property/ 
    dwarf2_per_bfd sharing for objfiles using READNOW.

    Generalize the gdb.base/index-cache-load-twice.exp
http://www.logoarts.co.uk/category/property/ test to test all
    the possible combinations of loading a file with partial symtabs,
index
    and readnow.  Move it to gdb.dwarf2, since it really exercises
features
    of the DWARF reader
http://www.acpirateradio.co.uk/category/property/
However, this isn't a trivial change.  So to fix the known issue
quickly
    (including in the gdb 10 branch), this patch just disables all
    dwarf2_per_bfd sharing for objfiles using READNOW.
http://www.compilatori.com/category/property/

    Generalize the gdb.base/index-cache-load-twice.exp test to test all
    the possible combinations of loading a file with partial symtabs,
index
    and readnow.  Move it to gdb.dwarf2, since it really exercises
features
    of the DWARF reader

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.