Re: Secure Shell WG: what's left?

[Damien Miller <djm%mindrot.org@localhost>]

On Wed, 10 Aug 2005, der Mouse wrote:

> I've been told modern openssh does connection sharing - when I was at
> BSDCan in May another person there showed me a manpage including an
> option for it.

Yes, for over a year now. Though the multiplexed X11 and agent support is 
more recent (CVS only).

> Does anyone here know what they do about this issue,
> how they deal with the "which session does this agent channel open go
> with" question?  If there's some way to do it with the stock request
> and channel type, I'd very much like to know it - but I sure can't see
> one; I think there simply isn't enough information.

Correct, connection multiplexing in OpenSSH will share a single agent 
and/or X11 listener between all sessions forwarded over a single TCP 
connection.

Apart from the lack of support[*] for forwarding multiple X or agent 
sockets in the protocol, I was concerned about users coming to depend on 
connection sharing to enforce sufficient separation between sessions with
different privilege. In particular, the risk of timing attacks, etc.

-d

* it is entirely possible to forward multiple X11 sessions using the
  protocol as specified. You can use the fake X11 auth cookie to as a
  key, but of course it gets complicated if they collide and you need
  to make sure that they are long enough so as to be practically
  unguessable.