From b2b94acc97254c7fffcb375120eea26c42c65292 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 11 Nov 2022 11:25:50 +0800 Subject: [PATCH] Better docs for DisableTrivialAuth --- CHANGES | 13 ++++++++----- dbclient.1 | 20 +++++++++++++++++++- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 9d9d480..457cb52 100644 --- a/CHANGES +++ b/CHANGES @@ -40,7 +40,7 @@ Features and Changes: - Improve permission error message Patch from k-kurematsu -2022.82 regression fixes: +Regression fixes from 2022.82: - Fix X11 build @@ -155,10 +155,13 @@ Features and Changes: Patch from Raphaƫl Hertzog https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 -- Added client option "-o DisableTrivialAuth". This can be used to prevent - the server immediately accepting successful authentication (before any auth - request) which could cause UI confusion and security issues with agent - forwarding - it isn't clear which host is prompting to use a key. +- Added client option "-o DisableTrivialAuth". It disallows a server immediately + giving successful authentication (without presenting any password/pubkey prompt). + This avoids a UI confusion issue where it may appear that the user is accepting + a SSH agent prompt from their local machine, but are actually accepting a prompt + sent immediately by the remote server. + CVE-2021-36369 though the description there is a bit confused. It only applies + to Dropbear as a client. Thanks to Manfred Kaiser from Austrian MilCERT - Add -q client option to hide remote banner, from Hans Harder diff --git a/dbclient.1 b/dbclient.1 index fbbbc1b..8a916dc 100644 --- a/dbclient.1 +++ b/dbclient.1 @@ -94,7 +94,18 @@ is performed at all, this is usually undesirable. .B \-A Forward agent connections to the remote host. dbclient will use any OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for -public key authentication. Forwarding is only enabled if -A is specified. +public key authentication. Forwarding is only enabled if \fI-A\fR is specified. + +Beware that a forwarded agent connection will allow the remote server to have +the same authentication credentials as you have used locally. A compromised +remote server could use that to log in to other servers. + +In many situations Dropbear's multi-hop mode is a better and more secure alternative +to agent forwarding, avoiding having to trust the intermediate server. + +If the SSH agent program is set to prompt when a key is used, the +\fI-o DisableTrivialAuth\fR option can prevent UI confusion. + .TP .B \-W \fIwindowsize Specify the per-channel receive window buffer size. Increasing this @@ -159,6 +170,13 @@ Send dbclient log messages to syslog in addition to stderr. .TP .B Port Specify a listening port, like the \fI-p\fR argument. +.TP +.B DisableTrivialAuth +Disallow a server immediately +giving successful authentication (without presenting any password/pubkey prompt). +This avoids a UI confusion issue where it may appear that the user is accepting +a SSH agent prompt from their local machine, but are actually accepting a prompt +sent immediately by the remote server. .RE .TP .B \-s