From: Markus Friedl <markus.friedl.DE> To: BUGTRAQ Subject: OpenSSH Security Advisory (adv.fwd) Date: Mon, 13 Nov 2000 21:13:18 +0100 Message-ID: <20001113211318.A27132@folly> Hostile servers can force OpenSSH clients to do agent or X11 forwarding 1. Systems affected: All versions of OpenSSH prior to 2.3.0 are affected. 2. Description: If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. This is the correct behaviour. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation. 3. Impact: Hostile servers can access your X11 display or your ssh-agent. 4. Short Term Solution: Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable before connecting to untrusted hosts: % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host 5. Solution: Upgrade to OpenSSH-2.3.0 or apply the attached patch. OpenSSH-2.3.0 is available from www.openssh.com. 6. Credits: Thanks to Jacob Langseth <jwl> for pointing out the X11 forwarding issue.
Created attachment 5320 [details] fix against OpenSSH 2.2.0
I don't see this as a _too_ big security risk.. you don't often connect to hostile servers anyway. Good excuse to upgrade to 2.3.0p1 in the process though. ;-)
Depends on usage... I often have to connect to at least "suspicious" sites...
A 2.3.0p1 errata is being prepped.