[Bug 2912] New: ssh keeps connection open to ssh-agent for lifetime of connection
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Oct 3 16:19:01 AEST 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2912
Bug ID: 2912
Summary: ssh keeps connection open to ssh-agent for lifetime of
connection
Product: Portable OpenSSH
Version: 7.6p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: anakin at pobox.com
When ssh authenticates to a server using ssh-agent, it seems to open a
single socket to talk to the agent, and cache it so that it can keep
using the same socket for all agent requests needed during the userauth
phase.
At the end of the userauth phase, it doesn't close that socket. So the
ssh client program continues to have a connection open to the
authentication agent for the entire lifetime of the SSH session, even
if that session is not doing agent forwarding.
I can't think of any reason why that agent connection is still useful
after userauth finishes, and leaving it open is mildly inconvenient in
the following scenario (which is how I noticed it):
* ssh from host A to host B, with agent forwarding
* on host B, run tmux or GNU screen
* inside the screen, ssh from host B to host C (without agent
forwarding), authenticating via the agent forwarded from A
* detach the tmux session from the terminal and attempt to log out of
host B, leaving the ssh from B to C still running inside tmux
In this situation, the ssh client on A does not terminate when the
"session" channel closes, because there's still another channel open,
namely the connection to ssh-agent on A forwarded from the ssh client
running on B. If ssh on B had closed its agent connection once the
userauth phase had finished, this would all work fine.
But aside from the mild inconvenience, is it possible that this might
also be (slightly) relevant to security? It's not a vulnerability in
its own right, but if an attacker *were* to subvert the SSH client
through the connection protocol in some way, it would be better if it
wasn't holding an unnecessary high-value resource such as a trusted
socket to a signing agent. Closing such a socket once it's no longer
needed seems to me like another application of the same principle of
safety as dropping privilege on the server side.
(Observed on ssh 7.4p1 on Debian, 7.6p1 on Ubuntu 18.04, and commit
a46ac4d86 in the repository at
https://github.com/openssh/openssh-portable.)
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list