Dag-Erling Smørgrav
2016-Mar-11 14:15 UTC
OpenSSH Security Advisory: xauth command injection
Nico Kadel-Garcia <nkadel at gmail.com> writes:> Dag-Erling Sm?rgrav <des at des.no> writes: > > Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have > > X11Forwarding enabled by default. > I'm not sure I see your point.With X11Forwarding off by default, one would assume that it is only enabled on a case-by-case basis for users or groups who already have the necessary privileges to run arbitrary code on the server and therefore have nothing to gain from exploiting this bug. With X11Forwarding on by default, it might remain enabled for e.g. gitolite users. DES -- Dag-Erling Sm?rgrav - des at des.no
Nico Kadel-Garcia
2016-Mar-14 00:08 UTC
OpenSSH Security Advisory: xauth command injection
On Fri, Mar 11, 2016 at 9:15 AM, Dag-Erling Sm?rgrav <des at des.no> wrote:> Nico Kadel-Garcia <nkadel at gmail.com> writes: >> Dag-Erling Sm?rgrav <des at des.no> writes: >> > Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have >> > X11Forwarding enabled by default. >> I'm not sure I see your point. > > With X11Forwarding off by default, one would assume that it is only > enabled on a case-by-case basis for users or groups who already have the > necessary privileges to run arbitrary code on the server and therefore > have nothing to gain from exploiting this bug. With X11Forwarding on by > default, it might remain enabled for e.g. gitolite users. > > DESOK, right. gitolite and similar tools that use ForcCommand, such as "svn+ssh" based setups or "rsnapshot" based backup setups should be ideally, be publishing keys with Forcecommand and no-port-forwarding,no-X11-forwarding,no-pty" options.
On Sun, 13 Mar 2016, Nico Kadel-Garcia wrote:> >> Dag-Erling Sm?rgrav <des at des.no> writes: > >> > Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have > >> > X11Forwarding enabled by default. > >> I'm not sure I see your point. > > > > With X11Forwarding off by default, one would assume that it is only > > enabled on a case-by-case basis for users or groups who already have the > > necessary privileges to run arbitrary code on the server and therefore > > have nothing to gain from exploiting this bug. With X11Forwarding on by > > default, it might remain enabled for e.g. gitolite users. > > OK, right. gitolite and similar tools that use ForcCommand, such as > "svn+ssh" based setups or "rsnapshot" based backup setups should be > ideally, be publishing keys with Forcecommand and > no-port-forwarding,no-X11-forwarding,no-pty" options.better to use "restrict" if you're running a recent OpenSSH