[Bug 1025418] Re: Using ProxyCommand w/a non-existant host results in infinite spawns.

Robie Basak 1025418 at bugs.launchpad.net
Thu Jul 19 10:33:57 UTC 2012 

Jordon,

Thank you for your report.

It seems that you have misconfigured the ssh client, and the ssh client
is then calling itself recursively in an infinite loop to fulfil its
proxy as you have configured it.

This is not a vulnerability in ssh, as you aren't crossing a privilege
boundary. You could just as well run a fork bomb to achieve the same
effect. You already have permission to do this by virtue of having a
user account. Your ssh client is just running within the permissions you
already have and as you have configured it.

What you really have here is local resource exhaustion.

If you search for resource limits, you should find ways of configuring
user accounts to limit this. If you think the default resource limits in
Ubuntu are wrong, then that would be a reasonable view, but see bug
14505 for that.

Another view might be that ssh could have some kind of recursion limit
to help users who accidentally misconfigure ssh. But I don't think it's
worth Ubuntu carrying a delta for this, especially in a security-
critical application. I don't see a configurable recursion limit in the
documentation, so this might be a reasonable feature request for
upstream, if you want to request it there.

As this is a misconfiguration rather than a bug, I'm closing this bug as
Invalid.

** Changed in: openssh (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1025418

Title:
  Using ProxyCommand w/a non-existant host results in infinite spawns.

Status in “openssh” package in Ubuntu:
  Invalid

Bug description:
  Version: OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
  Package: openssh-client

  Today we discovered a possible bug in the OpenSSH-Client package
  (openssh) that happens when you enable ProxyCommand with a non-
  existant hostname.  This bug is easily replicated with the default
  example in /etc/ssh/ssh_config.  If one uncomments that line and then
  for example tries to push via Git SSH you end up with SSH spawning
  over and over and over again as seein the attached screenshot.

  I have flagged this as a security bug (but ultimately it's up to ya'll
  if it is) because any user can do this and take down any server quite
  easily by adding add a bad ProxyCommand to their ~/.ssh/config.  I was
  able to take out one of my personal servers (which happens to be a
  pretty big server) within a few minutes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1025418/+subscriptions

More information about the foundations-bugs mailing list