Re: SSH / X11 auth: needless complexity -> security problems?

[Markus Friedl <mfriedl () genua de>]

On Tue, Jun 05, 2001 at 03:21:32PM -0400, Peter W wrote:
> As for the patches that are more careful when creating 
> /tmp/ssh-XXXXXXXX/cookies -- isn't there still an assumption that 
> /tmp/ssh-XXXXXXXX/cookies won't be removed before the ssh session ends?

no. sshd did switch uid/groups before creating the dir and the file,
but did not when deleting them. the same applies to agent forwarding.

> then don't 
> you have another attack vector -- regardless of how careful you were when 
> creating the cookies file & its parent directory?

no, i don't think so.

> It seems to me this whole xauthority business may be adding complexity for
> no good reason. Since the DISPLAY name changes, and an Xauthority file can
> hold multiple X cookie credentials, is there any good reason why OpenSSH
> need to make, and then, wipe out, a special xauthority file? why it can't
> just add credentials to the default xauthority file? Wouldn't that be 
> simpler and, almost by definition, more secure? If you really want to be 
> polite/clean, you can use the xauth "remove" command to purge the cookie 
> from ~/.Xauthority

this feature was inherited from ossh and the reason was:
        1) if $HOME is on NFS, then the cookie travels unencrypted
           over the network, this defeats the purpose of X11-fwding
        2) $HOME/.Xauthority gets polluted with temorary cookies.
however, i'm not sure whether the benefit justifies the complexity,
so this feature could be removed from future OpenSSH versions.

on the other hand, the same problem applies to the agent socket, and
I won't remove the agent code: you can delete all files named
agent.$pid on the system ($pid is the pid of the forked sshd process).

-m