OpenSSH protocol 1.6 proposal

Eivind Eklund eivind at FreeBSD.ORG
Tue Jan 4 00:20:51 EST 2000


On Mon, Jan 03, 2000 at 07:30:58PM +1100, Damien Miller wrote:
> Apart from standards-compliance, what does SSH2 buy you over a cleaned
> up SSH1?

Functional support for challenge/response authentication, at least.
When I looked, I could not find any good way to add this to the 1.x
protocol.

I think it still doesn't fix my biggest beef with ssh, though: Agent
forwarding.  The implementation of this in SSH essensially gives
out access for all your accounts to all machines you log into with
* no logs
* no way of restricting who gets authenticated (beyond turning a-f off)
* no way for the machine having the original authentication to verify who
  is asking for authentication and for what purpose (where to log into)
* a default of sending out agent forwarding
* no way to change the default and still selectively forward

The patches for the latter two problems are trivial; I'm including
them below for completeness.  Fixing the other problems is not as easy
(it require a bit of thought and several orders of magnitude more
coding); if anybody wants to do this, contact me and I'll send you an
outline for how get a reasonable implementation, including backwards
compatibility (allows the enhancements to be used securely even when
forwarding through servers that have not got support for the
enhancements.)

Eivind.

Central patch, to make it possible to selectively enable agent forwarding:

--- ssh.c.orig	Wed May 12 13:19:28 1999
+++ ssh.c	Sat Nov  6 20:50:55 1999
@@ -280,6 +280,7 @@
   fprintf(stderr, "  -l user     Log in using this user name.\n");
   fprintf(stderr, "  -n          Redirect input from /dev/null.\n");
   fprintf(stderr, "  -a          Disable authentication agent forwarding.\n");
+  fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
 #if defined(KERBEROS_TGT_PASSING) && defined(KRB5)
   fprintf(stderr, "  -k          Disable Kerberos ticket passing.\n");
 #endif /* defined(KERBEROS_TGT_PASSING) && defined(KRB5) */
@@ -537,6 +538,10 @@
 
         case 'a':
           options.forward_agent = 0;
+          break;
+
+        case 'A':
+          options.forward_agent = 1;
           break;
 
         case 'k':

Change the default to the correct (security rule #1: Disable
everything, enable what you need.)

--- readconf.c.orig	Wed May 12 13:19:27 1999
+++ readconf.c	Sat Nov  6 20:47:49 1999
@@ -716,7 +716,7 @@
 void fill_default_options(Options *options)
 {
   if (options->forward_agent == -1)
-    options->forward_agent = 1;
+    options->forward_agent = 0;
   if (options->forward_x11 == -1)
     options->forward_x11 = 1;
   if (options->rhosts_authentication == -1)





More information about the openssh-unix-dev mailing list