OpenSSH Security Advisory: xauth command injection

Nico Kadel-Garcia nkadel at gmail.com
Sat Mar 12 00:16:08 AEDT 2016


On Fri, Mar 11, 2016 at 4:41 AM, Dag-Erling Smørgrav <des at des.no> wrote:
> Nico Kadel-Garcia <nkadel at gmail.com> writes:
>> I'm just trying to figure out under what normal circumstances a
>> connection with X11 forwarding enabled wouldn't be owned by a user who
>> already has normal system privileges for ssh, sftp, and scp access.
>
> Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have
> X11Forwarding enabled by default.
>
> DES

I'm not sure I see your point. The client connection is still
associated with a specific client user and, in most situations, their
normal SSH, scp, and sftp client privileges.

I can see where for a ForceCommand limited connection, it provides a
way to break out of the ForceCommand limitations I could see for such
configuration, setting the sshd_config or authorized_keys options to
set XauthLocation to /dev/null as well as disabling
AllowTCPForwarding, AllowAgentForwarding, AcceptEnv, etc.

Using ForceCommand securely can be tricky: this sounds like another
reason to be very cautious, and especially not to rely on it for
restricting connections for X based applications.


More information about the openssh-unix-dev mailing list