diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2022-11-11 11:25:50 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2022-11-11 11:25:50 +0800 |
| commit | b2b94acc97254c7fffcb375120eea26c42c65292 (patch) | |
| tree | fa6df68bf844627938d2c6666d80469941e78afe | |
| parent | 960d374e657602d1c6e09080cd4896b242c3eb75 (diff) | |
| download | dropbear-b2b94acc97254c7fffcb375120eea26c42c65292.tar.gz | |
Better docs for DisableTrivialAuth
| -rw-r--r-- | CHANGES | 13 | ||||
| -rw-r--r-- | dbclient.1 | 20 |
2 files changed, 27 insertions, 6 deletions
@@ -40,7 +40,7 @@ Features and Changes: - Improve permission error message Patch from k-kurematsu -2022.82 regression fixes: +Regression fixes from 2022.82: - Fix X11 build @@ -155,10 +155,13 @@ Features and Changes: Patch from Raphaƫl Hertzog https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 -- Added client option "-o DisableTrivialAuth". This can be used to prevent - the server immediately accepting successful authentication (before any auth - request) which could cause UI confusion and security issues with agent - forwarding - it isn't clear which host is prompting to use a key. +- Added client option "-o DisableTrivialAuth". It disallows a server immediately + giving successful authentication (without presenting any password/pubkey prompt). + This avoids a UI confusion issue where it may appear that the user is accepting + a SSH agent prompt from their local machine, but are actually accepting a prompt + sent immediately by the remote server. + CVE-2021-36369 though the description there is a bit confused. It only applies + to Dropbear as a client. Thanks to Manfred Kaiser from Austrian MilCERT - Add -q client option to hide remote banner, from Hans Harder @@ -94,7 +94,18 @@ is performed at all, this is usually undesirable. .B \-A Forward agent connections to the remote host. dbclient will use any OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for -public key authentication. Forwarding is only enabled if -A is specified. +public key authentication. Forwarding is only enabled if \fI-A\fR is specified. + +Beware that a forwarded agent connection will allow the remote server to have +the same authentication credentials as you have used locally. A compromised +remote server could use that to log in to other servers. + +In many situations Dropbear's multi-hop mode is a better and more secure alternative +to agent forwarding, avoiding having to trust the intermediate server. + +If the SSH agent program is set to prompt when a key is used, the +\fI-o DisableTrivialAuth\fR option can prevent UI confusion. + .TP .B \-W \fIwindowsize Specify the per-channel receive window buffer size. Increasing this @@ -159,6 +170,13 @@ Send dbclient log messages to syslog in addition to stderr. .TP .B Port Specify a listening port, like the \fI-p\fR argument. +.TP +.B DisableTrivialAuth +Disallow a server immediately +giving successful authentication (without presenting any password/pubkey prompt). +This avoids a UI confusion issue where it may appear that the user is accepting +a SSH agent prompt from their local machine, but are actually accepting a prompt +sent immediately by the remote server. .RE .TP .B \-s |