BUG: simple attack when control channel muxing is used (was: Re: ControlMaster question)
Damien Miller
djm at mindrot.org
Tue Nov 11 08:00:04 EST 2014
On Mon, 10 Nov 2014, Christoph Anton Mitterer wrote:
> Hey.
>
> Interesting that you bring this up now... I've actually looked into this
> a week ago but forgot to write a bug report.
>
> A simple test showed, that ssh doesn't employ any security checks...
> when it is able to open the socket, it'll use it apparently:
>
> I tried last week something like this:
> user at hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostB
>
> and then:
> root at hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostC
>
> As you can see, the socket is created by user, and root "accidentally"
> uses it, even trying to connect to another node.
> ssh will just do so without any complains.
>
> And even when one uses something like %h, %p or that like, an attacker
> can easily guess these.
>
> Since it doesn't seem to be documented that the socket must be created
> in a secure location and since neither there are any owner checks like
> sshd's StrictMode... I'd probably consider that a security hole.
>
> upstream what do you think?
This behaviour is intentional. root is allowed to connect to users'
control sockets for a number of reasons. These include making them work
across sudo and it being mostly pointless to restrict root on a system.
If you want to avoid root connecting to a suspect socket, then ensure
root's sockets are created in a directory that is not writable by
untrusted users. I use "ControlPath ~/.ssh/ctl-%C"
More information about the openssh-unix-dev
mailing list