#779069 openssh-server: no way to disable unix domain socket/streamlocal forwarding from authorized_keys

Package:
openssh-server
Source:
openssh
Description:
secure shell (SSH) server, for secure access from remote machines
Submitter:
Paul Wise
Date:
2021-09-22 04:32:00 UTC
Severity:
important
Tags:
#779069#5
Date:
2015-02-24 03:47:18 UTC
From:
To:
As far as I can tell, unix domain socket forwarding is enabled by
default and there is no way to disable it from authorized_keys files.
This means that it might be possible for ssh triggers[1] to do unix
domain socket forwarding, even though they are meant to be restricted to
very limited things. SSH triggers are often restricted to a specific
command, no-agent-forwarding, no-port-forwarding, no-X11-forwarding,
no-pty and I think no-streamlocal-forwarding should be added to that
set. Personally I think this needs to be fixed before the jessie
release, please upgrade the severity to serious if you agree.
The code indicates[2] that this still needs to be completed.

     1. http://blog.ganneff.de/blog/2007/12/29/ssh-triggers.html
     2. https://sources.debian.net/src/openssh/1:6.7p1-3/auth-options.c/?hl=127#L342
#779069#10
Date:
2021-09-22 04:16:24 UTC
From:
To:
Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com