Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Feb 2000 21:22:29 -0500 (EST)
From:      Robert Watson <robert@cyrus.watson.org>
To:        Brian Fundakowski Feldman <green@FreeBSD.org>
Cc:        freebsd-security@FreeBSD.org
Subject:   Re: ssh client options
Message-ID:  <Pine.NEB.3.96L.1000219211643.712N-100000@fledge.watson.org>
In-Reply-To: <Pine.BSF.4.21.0002192057020.71349-100000@green.dyndns.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Feb 2000, Brian Fundakowski Feldman wrote:

> On Sat, 19 Feb 2000, Robert Watson wrote:
> 
> > Before we cut 4.0, could we please change the ssh_config default options
> > from CheckHostIP yes to CheckHostIP no?  I work in an environment with
> > dynamic IP addresses and DNS, and this option makes a big mess of things.
> > The key used by SSH should be the key asked for by the user, and found in
> > the keys file (or other key discovery system, such as DNSsec, etc).
> > Right now, if two hosts swap IP addresses (perfectly legitimate) then
> > incorrect security warnings will be displayed.  It should not be up to the
> > client/user to track IP address accuracy, especially with the advent of
> > IPv6.  This is why we have DNS!
> 
> This part needs to be brought up on freebsd-security.  We're but two people,
> and undoubtedly there are more factors here than either of us sees alone
> or combined.  I'm not passing the buck, tho :)

Ok, I've CC'd -security in the hopes that people will comment yay/nay on
the following change:

  Right now OpenSSH defaults to having ``CheckIP yes'' in ssh_config.  The
  result is that every time a user connects to a host, it stamps that host
  IP in the user's keyfile.  If the host changes IP addresses, such as in
  a dynamic key environment, and a new host takes up this IP, you'll get
  spurious security warnings.  Dynamic IP addresses and DNS are only going
  to become more common (they are already quite common) and this is an
  anti-feature.

> > And while we're stomping incorrect security features--why is X11
> > forwarding turned off in the server by default?  The server risks nothing,
> > it's the client who accepts risk by using X11 forwarding, and so it should
> > be the clients policy to disable X11 if we're to gain security through
> > this.  If we must disable X11 by default, it should be disabled in the
> > client, and enabled using ``-x'' or a config file option.
> 
> Warner Losh will tell you more about that.  Basically, it's a security
> hole on either side.  If everything's our OpenSSH, it's not open at all
> by default; if we don't have X11 disabled in the server, it's open in
> the client and server both, but if we have it disabled in the client,
> it's open in the server, but that's only half of it...

I see a clear risk to the client connecting to an untrusted server results
in yielding access to your display by default, for screen captures,
keyboard captures, remote key insertion, etc.  Could you further document
the risk to the server?

> > Also, would it be possible to change the OpenSSH port so that it installed
> > ssh_config.dist and sshd_config.dist instead?  Right now, despite the
> > anti-tromping efforts, my config files seem to get squished during an
> > upgrade (delete followed by install).  Apache uses this technique to make
> > upgrades far easier (and safer).
> 
> The best way to anti-tromp something is to add the schg flag to it, or
> possibly just uchg.  I suppose I'll add something which checks if the
> install(1) fails because of schg/uchg and copies to a .dist.

Encouraging the use of schg as an option to preevnt new ports from
squashing config files seems to me to be an abuse of file flags.  If you
already have all the settings in ssh_config and sshd_config as the
defaults, installing to the .dist names makes sense in all situations.
When an admin wants to change a setting, they copy the .dist file to the
normal filename, or just rename the .dist filename.  In this manner,
pkg_delete never zaps custom config files, pkg_add never squishes them,
etc.  Admins are also explicitely aware of when they move away from a
default setting, etc.  I've found this behavior in Apache (and others) to
be extremely useful.  It also means that even with a safe port/package
install, you have easy access to the new distributed config files so can
merge changes easily.

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000219211643.712N-100000>