Re: BUG: simple attack when control channel muxing is used (was: Re: ControlMaster question)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 10 Nov 2014, Christoph Anton Mitterer wrote:

> Hey.
> 
> Interesting that you bring this up now... I've actually looked into this
> a week ago but forgot to write a bug report.
> 
> A simple test showed, that ssh doesn't employ any security checks...
> when it is able to open the socket, it'll use it apparently:
> 
> I tried last week something like this:
> user@hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostB
> 
> and then:
> root@hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostC
> 
> As you can see, the socket is created by user, and root "accidentally"
> uses it, even trying to connect to another node.
> ssh will just do so without any complains.
> 
> And even when one uses something like %h, %p or that like, an attacker
> can easily guess these.
> 
> Since it doesn't seem to be documented that the socket must be created
> in a secure location and since neither there are any owner checks like
> sshd's StrictMode... I'd probably consider that a security hole.
> 
> upstream what do you think?

This behaviour is intentional. root is allowed to connect to users'
control sockets for a number of reasons. These include making them work
across sudo and it being mostly pointless to restrict root on a system.

If you want to avoid root connecting to a suspect socket, then ensure
root's sockets are created in a directory that is not writable by
untrusted users. I use "ControlPath ~/.ssh/ctl-%C"




_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux