| Summary: | Allow ip options except source routing | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | jchadima | ||||||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||||
| Status: | CLOSED WONTFIX | ||||||||||
| Severity: | normal | CC: | djm, dtucker, jchadima, jfch, jjelen | ||||||||
| Priority: | P2 | ||||||||||
| Version: | 5.2p1 | ||||||||||
| Hardware: | Other | ||||||||||
| OS: | Linux | ||||||||||
| Attachments: |
|
||||||||||
|
Description
jchadima
2009-09-01 21:29:14 AEST
Created attachment 1691 [details]
Patch solving the problem
Exactly what "problem" are you trying to solve here?
On the patch itself: it does not seem to correctly handle NOP (option 1) and I suspect you could slip a source route past it with just {NOP, LSR, ...}.
Created attachment 1693 [details]
Fixed patch
The increment is not right for the other options either - the value in the length octet includes the two bytes for type and length octets.
The attached patch should be right.
The patch is necessary for allowing connections over CIPSO labelled networking to sshd.
(In reply to comment #3) > Created an attachment (id=1693) [details] [...] > The patch is necessary for allowing connections over CIPSO labelled > networking to sshd. That's not true, it's far broader that that. It allows all options, present and future (other than source route) regardless of the security implications. Also, I was curious about the origin of this patch, and it seems the original author was Paul Moore at HP. Is this the case? Who are the original authors of the rest of the patches recently submitted? http://cvs.fedoraproject.org/viewvc/rpms/openssh/F-8/openssh-4.3p2-allow-ip-opts.patch?view=co
>
> Also, I was curious about the origin of this patch, and it seems the
> original author was Paul Moore at HP. Is this the case? Who are the
> original authors of the rest of the patches recently submitted?
>
Yes this patch origins from Paul More @Hp. The rest is by Red Hat people: Nalin Dahyabhai, Steve Grubb, Dan Walsh, Tomas Mraz and Jan F. Chadima and maybe others.
If we're going to do this we should whitelist known safe options instead, and we should handle IP4 and IP6 connections consistently. I'll take a look at this for 5.4. We are freezing for the OpenSSH 5.6 release. Retargetting these bugs to the next release. Targetting OpenSSH 5.7 Retarget unclosed bugs from 5.7=>5.8 Retarget unresolved bugs/features to 6.0 release Retarget unresolved bugs/features to 6.0 release Retarget unresolved bugs/features to 6.0 release (try again - bugzilla's "change several" isn't) Retarget from 6.0 to 6.1 Retarget 6.0 => 6.1 Retarget uncompleted bugs from 6.1 => 6.2 Retarget bugs from 6.1 => 6.2 I think this should be a (very short) whitelist of permitted options rather than a blacklist of a few bad options. retarget to openssh-6.3 Retarget to openssh-6.4 Retarget 6.3 -> 6.4 Removing this from consideration for release until comment #17 is resolved. Created attachment 2824 [details]
Whitelist of safe options
Current version we are using in Fedora and RHEL (written by Petr Lautrbach) is using explicit whitelist of 0, 1, 130, 133 and 134 options instead of previous blacklist. All the other options cause failure as before. I don't know why it was not submitted upstream before so doing now. Let me know if it is acceptable in this way.
Closing this bug. No clear motivation was ever offered - CIPSO is an expired draft. It and the other option in the proposed whitelist (SEC: rfc1108) is basically equivalent to rfc3514. close bugs that were resolved in OpenSSH 8.5 release cycle |