Bug #8590
closedsshd does not allow agent forwarding
100%
Description
Apparently /etc/ssh/sshd_config file is missing "AllowAgentForwarding yes" option, which prevents agent forwarding.
If user is adding it manually to the file the change is lost on service restart because the config file is rewritten.
We either need to have it enabled by default or make it configurable in the UI.
I am in favour of enabling it by default because I see no security risks with it and it would be considerably easier to implement.
Updated by Anonymous over 6 years ago
Sorin Sbarnea wrote:
I am in favour of enabling it by default because I see no security risks with it and it would be considerably easier to implement.
There are, in fact, significant security risks inherent in using SSH agent forwarding. While your forwarded session is active, anyone else on the pfSense box with sufficient privileges can connect to any other host using your forwarded SSH key. For more information, check out the following write-up.
https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/
As a security professional, I do not support this change. pfSense is not a jump host or shell server. It's a security appliance, and needs to be configured and treated as such.
PS: I apologize if I've overstepped my bounds here. Not sure what proper Redmine netiquette is for the pfSense project.
Updated by Jim Pingle over 6 years ago
- Status changed from New to Rejected
I concur with Justin. The security risks involved with agent forwarding make it undesirable for a firewall.
If someone wants to code up a PR to add the option -- defaulting to OFF -- we would consider accepting it, but it is not a feature that I see us allocating resources toward implementing.
If someone believes they need this feature, they could carry the change as a local modification using the system patches package without having it be a part of the pfSense code directly. Using Auto Apply, the change can be reapplied after updates.
PS: I apologize if I've overstepped my bounds here. Not sure what proper Redmine netiquette is for the pfSense project.
It's always acceptable to voice security concerns, thanks for the input!
Updated by Sorin Sbarnea over 6 years ago
It's always acceptable to voice security concerns, thanks for the input!
I think that the security concerns are not really so important because they make too many assumptions. First, it assumes your pfsense box was already pawned and second it states that the once this happened the perpetrator could use your ssh key to establish connections to other machines in your lan (the key cannot be obtained anyway). So, if someone if afraid of using an agent, they can always disable it use at the source (the client), there is no need to disable it as the server.
The funny part is that if the pfsense box is pwaned, the perpetrator could enable the ssh forwarding anyway. Mainly this renders the entire security concern unfounded because this change does not enable any new attack vector. To be valid, a security risk should demonstrate that a change is expected to downgrade the security of the product by allowing a malicious user to do something that he was not able to do before. Somehow I fail to see what was not possible before but it was possible after enabling this.
On the other hand, I do find the proposal of enabling this option in the UI as perfectly reasonable.
Updated by Sorin Sbarnea over 6 years ago
Another funny aspect is that this is a quote from official ssh manual, https://www.freebsd.org/cgi/man.cgi?sshd_config(5)
Specifies whether ssh-agent(1) forwarding is permitted. TheAllowAgentForwarding
default is yes. Note that disabling agent forwarding does not
improve security unless users are also denied shell access, as
they can always install their own forwarders.
So, default is yes, and is stated that there is no security threat with it :)
Updated by Jim Pingle over 6 years ago
- Status changed from Rejected to New
Reopening due to PR https://github.com/pfsense/pfsense/pull/3957 (adds option, defaults to off)
Updated by A FL over 6 years ago
ssbarnea
please resubmit your PR to the master branch
Updated by Renato Botelho about 6 years ago
- Status changed from New to Feedback
- Assignee set to Renato Botelho
- Target version set to 2.4.4-p1
PR merged
Updated by Anonymous about 6 years ago
- % Done changed from 0 to 100
Applied in changeset 1d835d945349d3c7b65c88155948e607bcbfdf76.
Updated by Chris Linstruth about 6 years ago
- Status changed from Feedback to Resolved
Verified that the checkbox toggles the AllowAgentForwarding in sshd_config and that agent forwarding is both enabled and disabled appropriately.