OpenSSH Security Advisory: xauth command injection

Damien Miller djm at mindrot.org
Tue Mar 15 03:36:33 AEDT 2016


On Sun, 13 Mar 2016, Nico Kadel-Garcia wrote:

> >> Dag-Erling Smørgrav <des at des.no> writes:
> >> > Some OS distributions (FreeBSD, RHEL / CentOS, probably Fedora) have
> >> > X11Forwarding enabled by default.
> >> I'm not sure I see your point.
> >
> > With X11Forwarding off by default, one would assume that it is only
> > enabled on a case-by-case basis for users or groups who already have the
> > necessary privileges to run arbitrary code on the server and therefore
> > have nothing to gain from exploiting this bug.  With X11Forwarding on by
> > default, it might remain enabled for e.g. gitolite users.
> 
> OK, right. gitolite and similar tools that use ForcCommand, such as
> "svn+ssh" based setups or "rsnapshot" based backup setups should be
> ideally, be publishing keys with Forcecommand and
> no-port-forwarding,no-X11-forwarding,no-pty" options.

better to use "restrict" if you're running a recent OpenSSH


More information about the openssh-unix-dev mailing list