Hey. Interesting that you bring this up now... I've actually looked into this a week ago but forgot to write a bug report. A simple test showed, that ssh doesn't employ any security checks... when it is able to open the socket, it'll use it apparently: I tried last week something like this: user@hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostB and then: root@hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostC As you can see, the socket is created by user, and root "accidentally" uses it, even trying to connect to another node. ssh will just do so without any complains. And even when one uses something like %h, %p or that like, an attacker can easily guess these. Since it doesn't seem to be documented that the socket must be created in a secure location and since neither there are any owner checks like sshd's StrictMode... I'd probably consider that a security hole. upstream what do you think? Cheers, Chris. btw: I cannot answer your second question, perhaps one of the developers knows more about that.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
