Bugtraq mailing list archives
Re: SSH / X11 auth: needless complexity -> security problems?
From: Markus Friedl <mfriedl () genua de>
Date: Wed, 6 Jun 2001 10:11:18 +0200
On Tue, Jun 05, 2001 at 03:21:32PM -0400, Peter W wrote:
As for the patches that are more careful when creating /tmp/ssh-XXXXXXXX/cookies -- isn't there still an assumption that /tmp/ssh-XXXXXXXX/cookies won't be removed before the ssh session ends?
no. sshd did switch uid/groups before creating the dir and the file, but did not when deleting them. the same applies to agent forwarding.
then don't you have another attack vector -- regardless of how careful you were when creating the cookies file & its parent directory?
no, i don't think so.
It seems to me this whole xauthority business may be adding complexity for no good reason. Since the DISPLAY name changes, and an Xauthority file can hold multiple X cookie credentials, is there any good reason why OpenSSH need to make, and then, wipe out, a special xauthority file? why it can't just add credentials to the default xauthority file? Wouldn't that be simpler and, almost by definition, more secure? If you really want to be polite/clean, you can use the xauth "remove" command to purge the cookie from ~/.Xauthority
this feature was inherited from ossh and the reason was: 1) if $HOME is on NFS, then the cookie travels unencrypted over the network, this defeats the purpose of X11-fwding 2) $HOME/.Xauthority gets polluted with temorary cookies. however, i'm not sure whether the benefit justifies the complexity, so this feature could be removed from future OpenSSH versions. on the other hand, the same problem applies to the agent socket, and I won't remove the agent code: you can delete all files named agent.$pid on the system ($pid is the pid of the forked sshd process). -m
Current thread:
- SSH allows deletion of other users files... zen-parse (Jun 04)
- Re: SSH allows deletion of other users files... Jason DiCioccio (Jun 04)
- Re: SSH allows deletion of other users files... Dan Astoorian (Jun 05)
- Re: SSH allows deletion of other users files... Jerry Connolly (Jun 05)
- Re: SSH allows deletion of other users files... Markus Friedl (Jun 05)
- Re: SSH allows deletion of other users files... aleph1 (Jun 05)
- Re: SSH allows deletion of other users files... David F. Skoll (Jun 04)
- Re: SSH allows deletion of other users files... sarnold (Jun 05)
- Re: SSH allows deletion of other users files... Markus Friedl (Jun 04)
- Re: SSH / X11 auth: needless complexity -> security problems? Peter W (Jun 05)
- Re: SSH / X11 auth: needless complexity -> security problems? Markus Friedl (Jun 08)
- Re: SSH / X11 auth: needless complexity -> security problems? Theo de Raadt (Jun 10)
- Message not available
- Message not available
- Re: SSH / X11 auth: needless complexity -> security problems? Dale Southard (Jun 08)
- Re: SSH / X11 auth: needless complexity -> security problems? Casper Dik (Jun 10)
- Re: SSH allows deletion of other users files... sarnold (Jun 05)
- Re: SSH allows deletion of other users files... Jason DiCioccio (Jun 04)