Date: Tue, 29 Feb 2000 09:03:34 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Mark Murray <mark@grondar.za> Cc: "Daniel O'Connor" <doconnor@gsoft.com.au>, cvs-all@FreeBSD.org, cvs-committers@FreeBSD.org, Mark Murray <markm@FreeBSD.org> Subject: Re: cvs commit: src/crypto/openssh auth-krb5.c auth-krb4.c auth- Message-ID: <Pine.NEB.3.96L.1000229085205.42383A-100000@fledge.watson.org> In-Reply-To: <200002290616.IAA29118@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 29 Feb 2000, Mark Murray wrote: > > > > On 28-Feb-00 Mark Murray wrote: > > > At the moment, X11 forwarding is ON. I saw a convincing argument > > > on bugtraq today for turning it off. > > > > Care to share? I don't subscribe and I can't find an up to date archive :( > > (securityfocus is lagged a few days ): > > If you have forwarding on, you run xauth on the other side. It's > eas{y|ier} to compromise that, and attack X with tunnelling. (In > a nutshell). Actually, as I pointed out on bugtraq, this is old news, and that xauth is really sort of spurious to the whole thing. The real problem is that when X11 forwarding is enabled in the client, whatever sits on the other side of the connection is trusted with complete access to the display, for the lifetime of the connection. So essentially, by forwarding X11 by default, you are assuming that every host you connect to is ``trusted''. In the real world, this is not the case--the source and destination host should not become equivilent as a result of your logging into the destination--they are often in different security domains. With SSH, it is necessary that security equivilence be transitive in one direction for the lifetime of the connection, as the client host clearly has access to the connection. The same goes for SSH agent forwarding--defaulting to forwarding on means that any host you log into gains access to use your keying material for its own uses, for the lifetime of the connection. For example, suppose I use the same public RSA key for logging into freebsd.org, safeport.com, and watson.org. If any one of those is compromised (or less trustworthy), all accounts will be compromised. Of particular interest is that the OpenSSH people disabled X11 forwarding--in the server, and not the client. If you are going to disable it, you should be disabling it on the side where risk is assumed--the client :-). This was fixed in a recent OpenBSD commit. Last I checked, the fix to cover agent forwarding had not yet been committed. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000229085205.42383A-100000>