Dag-Erling Smørgrav
2016-Mar-11 09:41 UTC
OpenSSH Security Advisory: xauth command injection
Nico Kadel-Garcia <nkadel at gmail.com> writes:> I'm just trying to figure out under what normal circumstances a > connection with X11 forwarding enabled wouldn't be owned by a user who > already has normal system privileges for ssh, sftp, and scp access.Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have X11Forwarding enabled by default. DES -- Dag-Erling Sm?rgrav - des at des.no
Nico Kadel-Garcia
2016-Mar-11 13:16 UTC
OpenSSH Security Advisory: xauth command injection
On Fri, Mar 11, 2016 at 4:41 AM, Dag-Erling Sm?rgrav <des at des.no> wrote:> Nico Kadel-Garcia <nkadel at gmail.com> writes: >> I'm just trying to figure out under what normal circumstances a >> connection with X11 forwarding enabled wouldn't be owned by a user who >> already has normal system privileges for ssh, sftp, and scp access. > > Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have > X11Forwarding enabled by default. > > DESI'm not sure I see your point. The client connection is still associated with a specific client user and, in most situations, their normal SSH, scp, and sftp client privileges. I can see where for a ForceCommand limited connection, it provides a way to break out of the ForceCommand limitations I could see for such configuration, setting the sshd_config or authorized_keys options to set XauthLocation to /dev/null as well as disabling AllowTCPForwarding, AllowAgentForwarding, AcceptEnv, etc. Using ForceCommand securely can be tricky: this sounds like another reason to be very cautious, and especially not to rely on it for restricting connections for X based applications.
Dag-Erling Smørgrav
2016-Mar-11 14:15 UTC
OpenSSH Security Advisory: xauth command injection
Nico Kadel-Garcia <nkadel at gmail.com> writes:> Dag-Erling Sm?rgrav <des at des.no> writes: > > Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have > > X11Forwarding enabled by default. > I'm not sure I see your point.With X11Forwarding off by default, one would assume that it is only enabled on a case-by-case basis for users or groups who already have the necessary privileges to run arbitrary code on the server and therefore have nothing to gain from exploiting this bug. With X11Forwarding on by default, it might remain enabled for e.g. gitolite users. DES -- Dag-Erling Sm?rgrav - des at des.no