On Mon, 10 Nov 2014, Christoph Anton Mitterer wrote: > Hey. > > Interesting that you bring this up now... I've actually looked into this > a week ago but forgot to write a bug report. > > A simple test showed, that ssh doesn't employ any security checks... > when it is able to open the socket, it'll use it apparently: > > I tried last week something like this: > user@hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostB > > and then: > root@hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostC > > As you can see, the socket is created by user, and root "accidentally" > uses it, even trying to connect to another node. > ssh will just do so without any complains. > > And even when one uses something like %h, %p or that like, an attacker > can easily guess these. > > Since it doesn't seem to be documented that the socket must be created > in a secure location and since neither there are any owner checks like > sshd's StrictMode... I'd probably consider that a security hole. > > upstream what do you think? This behaviour is intentional. root is allowed to connect to users' control sockets for a number of reasons. These include making them work across sudo and it being mostly pointless to restrict root on a system. If you want to avoid root connecting to a suspect socket, then ensure root's sockets are created in a directory that is not writable by untrusted users. I use "ControlPath ~/.ssh/ctl-%C" _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
