Using ProxyCommand w/a non-existant host results in infinite spawns.

Hi Jordon

Thanks for taking the time to report this bug in Ubuntu.

By just uncommenting that one line you will create a proxy loop - the gateway.example.com needs to be setup with a "ProxyCommand None" entry as well. So its nothing todo with a non-existent host - its just a misconfiguration IMHO.

I was not able to take down a 12.04 server - I quickly got an out-of-memory error and the ssh command terminated.

Actually I got this:

You don't exist, go away!
ssh_exchange_identification: Connection closed by remote host

And:

/bin/bash: Cannot allocate memory

Jordon,

Thank you for your report.

It seems that you have misconfigured the ssh client, and the ssh client is then calling itself recursively in an infinite loop to fulfil its proxy as you have configured it.

This is not a vulnerability in ssh, as you aren't crossing a privilege boundary. You could just as well run a fork bomb to achieve the same effect. You already have permission to do this by virtue of having a user account. Your ssh client is just running within the permissions you already have and as you have configured it.

What you really have here is local resource exhaustion.

If you search for resource limits, you should find ways of configuring user accounts to limit this. If you think the default resource limits in Ubuntu are wrong, then that would be a reasonable view, but see bug 14505 for that.

Another view might be that ssh could have some kind of recursion limit to help users who accidentally misconfigure ssh. But I don't think it's worth Ubuntu carrying a delta for this, especially in a security-critical application. I don't see a configurable recursion limit in the documentation, so this might be a reasonable feature request for upstream, if you want to request it there.

As this is a misconfiguration rather than a bug, I'm closing this bug as Invalid.

@racb Setting aside the fact that you think I don't know how to configure a server or prevent it, the faulty logic is that "because you can fork bomb already this problem doesn't matter and it's not worth it" yeah? I don't know if that's funny or what...

I'm sorry to revive this old topic. I'm astonished that after 8 years, it hasn't been fixed.

I would like to push this up once more. The reason is any user interaction that is not by designed suppose to happen, should be considered a user experience bug and fixed.

Crafting a fork bomb by design is out of the scope of this context. One is a malicious conscious creation of a piece of code, while a user misconfiguration is not.

It is easily preventable by creating a hardcoded automatic implicit exclusion of the gateway. It is not normal that a user could create a recursive infinite loop with a piece of configuration like this. We are responsible to protect the user in such a case.

The issue is not limited to Ubuntu, but to all systems that embedded OpenSSH. It should, therefore, be pushed upstream. I have sent an email to the OpenSSH developer mailing list and it would be welcome if Ubuntu were to request a fix as well. I will do the same request at RedHat.

Thank you for your cooperation.

> It should, therefore, be pushed upstream.

Sure. Upstream can make a final determination, and Ubuntu will inherit their decision. Thank you for doing that.

> ...it would be welcome if Ubuntu were to request a fix as well.

Ubuntu is a community project and that community includes you. If you've made a request upstream, I don't think it's appropriate for anyone else to be joining in unless they have new and useful information to add.

Robie, any request for fix take priority based on the level of disruption. If more than one person face the issue and require a fix, it will create momentum and incentive to fix it.

A fix has been provided upstream. I believe the Ubuntu community should pick up from here and packages the fix.

[ ... snip ...]
Darren Tucker:
We had some discussion about it amongst ourselves, but we were working on the 8.2 release at the time and we judged it too late to risk including this as it would potentially invalidate testing done to that point.

I actually commited[1] this change earlier today, and you can try it yourself by trying either checking out the source or trying a development snapshot[3]. Please let us know if you notice any problems.

[1] https://github.com/openssh/openssh-portable/commit/de1f3564cd85915b3002859873a37cb8d31ac9ce
[3] https://www.mindrot.org/openssh_snap/openssh-SNAP-20200218.tar.gz or https://www.mindrot.org/openssh_snap/openssh-SNAP-20200219.tar.gz

> A fix has been provided upstream. I believe the Ubuntu community should pick up from here and packages the fix.

That looks like it's for the specialist ProxyJump directive though, and not the more general ProxyCommand?

Please could you link to the upstream discussion?