From: Jeff King <peff@peff.net>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>,
Harley Paterson <harley.paterson@hotmail.co.nz>,
"git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: False negative authentication with multiple accounts on a SSH-GIT server
Date: Wed, 20 Jan 2021 09:35:45 -0500 [thread overview]
Message-ID: <YAg/wV05JYbzOdck@coredump.intra.peff.net> (raw)
In-Reply-To: <87im7r93u7.fsf@evledraar.gmail.com>
On Wed, Jan 20, 2021 at 01:42:56PM +0100, Ævar Arnfjörð Bjarmason wrote:
> > Unfortunately, this leaks whether a repository exists. If Company XYZ
> > has a repository for each of its clients, it then becomes easy to see if
> > Company XYZ is doing work for a particular client by trying to see if a
> > repository exists.
>
> I wonder how many hosting providers are confident that the code involved
> in this isn't vulnerable to a timing attack.
I would say "not very certain" in the case of GitHub. I don't recall any
analysis of the timing ever having happened.
> Why would a site like GitHub treat ssh differently than https here? I
> think it just comes down to openssh's support for use-case being a bit
> of a pain to configure.
GitHub doesn't use openssh at all; ssh sessions are terminated at a
custom load-balancing/proxy layer daemon.
I agree that servers in general probably could accept this notion of "no
valid user" for ssh sessions. I just think it's something that nobody
has asked for. I.e., if you are not planning to be an authenticated
user, then why use ssh in the first place? Certainly you could ask "why
not", but AFAIK this is the first time it has come up.
There is one protocol issue I'm not sure of, though. My understanding of
ssh auth is that the client offers keys in sequence, and the server says
"yes" or "no" on each. We'd want to continue saying "no" on keys that we
don't know about, so the client may keep trying other keys to which we
might say "yes". But after having seen all of the keys, what then?
We would want the server to say "OK, even though we don't like any of
your keys, let's start a session anyway". Is that possible within the
protocol? I think having the server say "OK, now try password auth" is
not a good idea. If the client asks for a dummy password, that is likely
to be either confusing, or disrupt sessions without a human present.
But I don't know the ssh protocol very well, so perhaps my understanding
of what is possible totally wrong. https has this much easier because
unauthenticated requests are totally normal, and the server sees the
auth along with the whole request at the same time.
-Peff
next prev parent reply other threads:[~2021-01-20 14:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-19 6:17 False negative authentication with multiple accounts on a SSH-GIT server Harley Paterson
2021-01-19 18:22 ` M. Buecher
2021-01-19 23:11 ` brian m. carlson
2021-01-20 12:42 ` Ævar Arnfjörð Bjarmason
2021-01-20 14:35 ` Jeff King [this message]
2021-01-20 19:11 ` Harley Paterson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YAg/wV05JYbzOdck@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=harley.paterson@hotmail.co.nz \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).