Contributed by grey on from the still secure by default, but check your configurations dept.
Though this doesn't affect OpenBSD users by default, for those using OpenSSH with the "AllowTcpForwarding" option enabled, and who are using AnonCVS you should read this advisory.
If you check /etc/ssh/sshd_config you'll see that the line reading: #AllowTcpForwarding yes while defaulted to yes is actually commented out, however, I have been corrected by mjc & Brad Smith that this only reflects that the default is that this option is enabled, this is clarified in the sshd_config file:
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.However, a CVS server isn't running by default with OpenBSD, but this warning is still worth reading for those who may be using these tools in such an environment. You'll note from reading the advisory that OpenBSD's CVS servers have been reconfigured so as to avoid this issue since being notified.
(Comments are closed)
By Mooch (192.100.124.218) on
Comments
By sthen (81.168.66.229) on
Normally, when you connect by SSH, it's with a password to a shell. So, 1. only people with a password could connect, and 2. they would be able to make a connection from their shell anyway. So in this case, being able to port-forward makes little or no difference.
The thing that some people might not have realised is that even a public login is allowed to port-forward.
Some people use public logins for anonymous CVS servers - others might have anonymous sftp or rsync-over-ssh, or even something simple like setting up an account which doesn't login to a shell but instead shows traffic statistics or a mail queue or a menu system.
All of these cases would allow port forwarding (usually only for the duration of the program run: possibly very long for CVS, or quite short if it's just displaying a few lines of statistics).
I'd like to think that this won't affect too many OpenBSD admins, but anyone allowing ssh connections to their machines that didn't know about port forwarding might want to look into their setup. The article gives an example of anonymous spamming; obviously another possible problem is that it might allow somebody to bypass access-restrictions or firewalls.
By Christian Jones (66.92.35.242) chjones@aleph0.com on
Sorry for the naivete, just curious....
CDJ
Comments
By Brad (216.138.200.42) brad at comstyle dot com on
Comments
By Christian Jones (66.92.35.242) chjones@aleph0.com on
Thanks,
CDJ
Comments
By JB (64.62.161.110) jan[AT]caustic.org on
An example: you forward your local port 8080 to an anoncvs server inside the DMZ of $COMPANY or $PROVIDER. since it's anonymous, there's no password prompt - and no password - and if you're using the -N (no remote command executed), you suddenly have an encrypted connection behind the DMZ - without anything timing out your connection. Combine this with another handy tool, and you can scan and look at the machines behind the given firewall. Nothing's blocking you, right?
Clear now?
Comments
By Christian Jones (66.92.35.242) chjones@aleph0.com on
CDJ