current-users: Re: ssh is no longer installed suid

Subject: Re: ssh is no longer installed suid
To: None <current-users@netbsd.org>
From: Tero Kivinen <kivinen@ssh.fi>
List: current-users
Date: 03/29/2001 20:03:41
gr@eclipsed.net (gabriel rosenkoetter) writes:
> ssh's suid bit is unset (and should be, imho) because of unresolved
> problems (with the protocol, not the implementation) by which an
> evil sshd could use a client's X and authentication forwarding to
> take advantage of the host running the client.

For the authentication agent, I don't think that is true for the
protocol version 2 clients or servers. There the full path of the
agent request should be available for the agent, thus it can make
policy decision based on that.

For the X11 forwarding, it does not allow taking advantage of the host
running client, but the host running X11. This is inheritly because of
the X11 forwarding. If you want to forward X11 you also want to allow
programs to connect to X11 server...

> If the ssh client
> were suid to boot, that would mean remote root access.

Neither of those should allow you root access, if I remember
correctly those only allow you to either use the agent (and then it
depends what your agent allows you to do) or to open X11 connection to
your X server, which can of course then be used to sniff on the
keyboard events etc.

Neither of those is really related to the suid root ssh (or if it is
then it is implementation issue, not protocol issue). 

> This is also why OpenSSH (rightly) defaults the ForwardX11 and
> ForwardAgent options to no, requiring you to set them explicitly in
> ~/.ssh/config. (Our in-tree ssh should behave the same way, though

For the agent forwarding there is much better ways to deal that, than
just disabling agent forwarding (i.e make ssh-agent understand policy
where you can configure it to allow or disallow request, and in case
of it does not know it can pop up window and ask).

For the X11 forwarding this depends quite heavily on the usage of the
ssh. In most cases users do want to forward X11, but on the other hand
they also do trust the remote adminstrators. If they do not trust the
remote adminstrators then they should disable X11, agent and channel
forwarding. 
-- 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/