BUG: simple attack when control channel muxing is used (was: Re: ControlMaster question)

shawn wilson ag4ve.us at gmail.com
Tue Nov 11 13:55:06 EST 2014


On Nov 10, 2014 8:26 PM, "mancha" <mancha1 at zoho.com> wrote:
>
> On Tue, Nov 11, 2014 at 08:00:04AM +1100, Damien Miller wrote:
> > On Mon, 10 Nov 2014, Christoph Anton Mitterer wrote:
>
> [SNIP]
>
> > This behaviour is intentional. root is allowed to connect to users'
> > control sockets for a number of reasons. These include making them
> > work across sudo and it being mostly pointless to restrict root on a
> > system.
> >
> > If you want to avoid root connecting to a suspect socket, then ensure
> > root's sockets are created in a directory that is not writable by
> > untrusted users. I use "ControlPath ~/.ssh/ctl-%C"
>
> Before I got Damien's response I had already cooked up a new patch that
> imposes three restrictions on control socket usage: 1. must be owned by
> user, 2. perms must be 600, and 3. hard link count can't exceed one.
>
> Those who want the more stringent conditions are welcome to it. Modify
> to your heart's content.
>
> It's a bit less racey but if you have a more atomic (and still portable)
> approach, go for it. I won't be spending any more time on this.
>

Great for general use. However there should be an option to turn the owner
and perms check off. I like single use accounts (I haven't done this but
now that I'm thinking about it) so a repo user who handles repo
interactions. I wouldn't want it to have access to my ssh private keys but
would setup a ControlMaster for it to use.

Also, it'd be cool if I could report on the parameters a ControlMaster was
initialized with (host, port, user, key, etc) - if this information could
be kept in memory and be retrieved via the file that might help with this
issue (and its something that's been on my mind besides :P ).


More information about the openssh-unix-dev mailing list