[Secure-testing-team] Bug#765632: openssh-client: Debian shouldn't deviate in hardcoded default values, especially not security relevant one

Christoph Anton Mitterer calestyo at scientia.net
Thu Oct 16 18:47:00 UTC 2014 

Package: openssh-client
Version: 1:6.7p1-2
Severity: important
Tags: security


Hi.

Apparently Debian deviates in a few of OpenSSH's hardcoded default
settings, namely:
- ForwardX11Trusted having set to yes
- ServerAliveInterval being set to 300, when BatchMode is set to yes.

Even though I've read that before it wasn't clear to me, that you just
changed the values in the default config files but really the hard coded
ones in the binary.

Especially for ForwardX11Trusted this seems a security issue to me, since
you change to the insecure mode.
Even if there was any good reason for this (why btw?)... no one expects
this, i.e. no one comming from non-Debian, and while one can probably
demand admins and users to check their *config files* for different
defaults on different platforms, one cannot expect that people re-read
all manpages whether the program options themselves have changed;
especially not in the case of well-known programs like ssh, which behave
differently in every other place.

I would perhaps agree to such step, if it closes a security issue but
this acutally opens one (long story short: we've had an attack here in
the faculty on two nodes from a compromised machine, which was at least
made easier by this). :(


I don't have that strong feelings about ServerAliveInterval/BatchMode,
since I wouldn't see at least any direct way how to exploit this in terms
of security.
Yet I still think that such deviation is bad since everyone expects it
not to happen,.. and there may be programs who expect the connection
to remain open (and perhaps resume) and Debian sets a timeout which doesn't
exist anywhere else.
A proper solution would have been to add a new option like:
DefaultBatchModeServerAliveInterval, which defaults to the same
value as upstream (0) but which could be set to e.g. your 300s.
Then this option could have been set in a Debian's default ssh_config
an be used properly.



That being said, could you possibly do the following:
1) No longer change the hard coded default of ForwardX11Trusted
but rather add a ForwardX11Trusted=yes in new default ssh_config.
Or completely stop seting it, if there is no longer any reason for it.
For legacy users (who may be surprised) a NEWS entry should be added.

2) For ServerAliveInterval/BatchMode, I would suggest my solution
above, again with a NEWS entriy.
But as said, it's less important here.


Thanks,
Chris.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.17.18
ii  libc6             2.19-11
ii  libedit2          3.1-20140620-2
ii  libgssapi-krb5-2  1.12.1+dfsg-10
ii  libselinux1       2.3-2
ii  libssl1.0.0       1.0.1j-1
ii  passwd            1:4.2-2+b1
ii  zlib1g            1:1.2.8.dfsg-2

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

More information about the Secure-testing-team mailing list