Project

General

Profile

Actions

Bug #8590

closed

sshd does not allow agent forwarding

Added by Sorin Sbarnea over 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Category:
Operating System
Target version:
Start date:
06/22/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Apparently /etc/ssh/sshd_config file is missing "AllowAgentForwarding yes" option, which prevents agent forwarding.

If user is adding it manually to the file the change is lost on service restart because the config file is rewritten.

We either need to have it enabled by default or make it configurable in the UI.

I am in favour of enabling it by default because I see no security risks with it and it would be considerably easier to implement.

Actions #1

Updated by Anonymous over 6 years ago

Sorin Sbarnea wrote:

I am in favour of enabling it by default because I see no security risks with it and it would be considerably easier to implement.

There are, in fact, significant security risks inherent in using SSH agent forwarding. While your forwarded session is active, anyone else on the pfSense box with sufficient privileges can connect to any other host using your forwarded SSH key. For more information, check out the following write-up.

https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/

As a security professional, I do not support this change. pfSense is not a jump host or shell server. It's a security appliance, and needs to be configured and treated as such.

PS: I apologize if I've overstepped my bounds here. Not sure what proper Redmine netiquette is for the pfSense project.

Actions #2

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Rejected

I concur with Justin. The security risks involved with agent forwarding make it undesirable for a firewall.

If someone wants to code up a PR to add the option -- defaulting to OFF -- we would consider accepting it, but it is not a feature that I see us allocating resources toward implementing.

If someone believes they need this feature, they could carry the change as a local modification using the system patches package without having it be a part of the pfSense code directly. Using Auto Apply, the change can be reapplied after updates.

PS: I apologize if I've overstepped my bounds here. Not sure what proper Redmine netiquette is for the pfSense project.

It's always acceptable to voice security concerns, thanks for the input!

Actions #3

Updated by Sorin Sbarnea over 6 years ago

It's always acceptable to voice security concerns, thanks for the input!

I think that the security concerns are not really so important because they make too many assumptions. First, it assumes your pfsense box was already pawned and second it states that the once this happened the perpetrator could use your ssh key to establish connections to other machines in your lan (the key cannot be obtained anyway). So, if someone if afraid of using an agent, they can always disable it use at the source (the client), there is no need to disable it as the server.

The funny part is that if the pfsense box is pwaned, the perpetrator could enable the ssh forwarding anyway. Mainly this renders the entire security concern unfounded because this change does not enable any new attack vector. To be valid, a security risk should demonstrate that a change is expected to downgrade the security of the product by allowing a malicious user to do something that he was not able to do before. Somehow I fail to see what was not possible before but it was possible after enabling this.

On the other hand, I do find the proposal of enabling this option in the UI as perfectly reasonable.

Actions #4

Updated by Sorin Sbarnea over 6 years ago

Another funny aspect is that this is a quote from official ssh manual, https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

AllowAgentForwarding

Specifies whether ssh-agent(1) forwarding is permitted. The
default is yes. Note that disabling agent forwarding does not
improve security unless users are also denied shell access, as
they can always install their own forwarders.

So, default is yes, and is stated that there is no security threat with it :)

Actions #5

Updated by Jim Pingle over 6 years ago

  • Status changed from Rejected to New

Reopening due to PR https://github.com/pfsense/pfsense/pull/3957 (adds option, defaults to off)

Actions #6

Updated by A FL about 6 years ago

ssbarnea please resubmit your PR to the master branch

Actions #7

Updated by Renato Botelho about 6 years ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.4.4-p1

PR merged

Actions #8

Updated by Anonymous about 6 years ago

  • % Done changed from 0 to 100
Actions #9

Updated by Chris Linstruth about 6 years ago

  • Status changed from Feedback to Resolved

Verified that the checkbox toggles the AllowAgentForwarding in sshd_config and that agent forwarding is both enabled and disabled appropriately.

Actions

Also available in: Atom PDF