OpenSSH Security Advisory | Linux Today

OpenSSH Security Advisory

Written By
Web Webster
Web Webster
Nov 14, 2000
Date: Mon, 13 Nov 2000 21:13:18 +0100
From: Markus Friedl markus.friedl@INFORMATIK.UNI-ERLANGEN.DE
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: OpenSSH Security Advisory (adv.fwd)

Hostile servers can force OpenSSH clients to do agent or X11 forwarding

1. Systems affected:

        All versions of OpenSSH prior to 2.3.0 are affected.

2. Description:

        If agent or X11 forwarding is disabled in the ssh client
        configuration, the client does not request these features
        during session setup.  This is the correct behaviour.

        However, when the ssh client receives an actual request
        asking for access to the ssh-agent, the client fails to
        check whether this feature has been negotiated during session
        setup.  The client does not check whether the request is in
        compliance with the client configuration and grants access
        to the ssh-agent.  A similar problem exists in the X11
        forwarding implementation.

3. Impact:

        Hostile servers can access your X11 display or your ssh-agent.

4. Short Term Solution:

        Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable
        before connecting to untrusted hosts:

                % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host

5. Solution:

        Upgrade to OpenSSH-2.3.0 or apply the attached patch.
        OpenSSH-2.3.0 is available from www.openssh.com.

6. Credits:

        Thanks to Jacob Langseth jwl@pobox.com for pointing
        out the X11 forwarding issue.

Appendix:

Patch against openssh-2.2.0

--- /openssh-2.2.0/clientloop.c Sun Aug 20 00:21:19 2000
+++ ssh/clientloop.c    Fri Nov 10 13:54:42 2000
@@ -32,6 +32,8 @@
 #include "buffer.h"
 #include "bufaux.h"

+extern Options options;
+
 /* Flag indicating that stdin should be redirected from /dev/null. */
 extern int stdin_null_flag;

@@ -750,7 +752,6 @@
 int
 client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 {
-       extern Options options;
        double start_time, total_time;
        int len;
        char buf[100];
@@ -993,7 +994,7 @@
        debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
            ctype, rchan, rwindow, rmaxpack);

-       if (strcmp(ctype, "x11") == 0) {
+       if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
                int sock;
                char *originator;
                int originator_port;
@@ -1066,11 +1067,14 @@
        dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
        dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
        dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
-       dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
        dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
        dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
        dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
-       dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
+
+       dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
+           &auth_input_open_request : NULL);
+       dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
+           &x11_input_open : NULL);
 }
 void
 client_init_dispatch_15()
Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.