IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Secure Shell WG: what's left?



On Wed, 10 Aug 2005, der Mouse wrote:

I've been told modern openssh does connection sharing - when I was at
BSDCan in May another person there showed me a manpage including an
option for it.

Yes, for over a year now. Though the multiplexed X11 and agent support is more recent (CVS only).

Does anyone here know what they do about this issue,
how they deal with the "which session does this agent channel open go
with" question?  If there's some way to do it with the stock request
and channel type, I'd very much like to know it - but I sure can't see
one; I think there simply isn't enough information.

Correct, connection multiplexing in OpenSSH will share a single agent and/or X11 listener between all sessions forwarded over a single TCP connection.

Apart from the lack of support[*] for forwarding multiple X or agent sockets in the protocol, I was concerned about users coming to depend on connection sharing to enforce sufficient separation between sessions with
different privilege. In particular, the risk of timing attacks, etc.

-d

* it is entirely possible to forward multiple X11 sessions using the
  protocol as specified. You can use the fake X11 auth cookie to as a
  key, but of course it gets complicated if they collide and you need
  to make sure that they are long enough so as to be practically
  unguessable.



Home | Main Index | Thread Index | Old Index