[Bug 3316] possible bypass of fido 2 devices and ssh-askpass

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jun 4 13:17:08 AEST 2021


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
First, the root cause is forwarding an agent to an attacker-controlled
destination - the user is effectively delegating use of their keys to
that attacker.

Second this is not an authentication bypass, since nothing is being
bypassed. The user is becoming confused as to the context of a FIDO
touch request. That makes this more like phishing than anything else.

This attack may be mitigated by setting LogLevel=verbose so ssh(1) will
print a message at the conclusion of authentication:

> [djm at origin ~]$ ssh -oLogLevel=verbose host
> Authenticated to host.example.com ([]:22).
> $

Fundamentally, forwarding an agent is a risky operation and should be
avoided where possible. This is why we implemented ProxyJump :)

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list