third-party-mirrors/ssh-chat
1
0
Fork 0
mirror of https://github.com/shazow/ssh-chat.git synced 2025-05-24 02:37:43 +03:00
Code Issues Projects Releases Wiki Activity

Updated Privacy and Anonymity (markdown)

nya-furball 2021-04-16 13:05:18 +00:00
parent d9a4d381dd
commit d0b8cd0346
1 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Privacy-and-Anonymity.md

@ -23,7 +23,7 @@ Your current local username. This is sent and read by the server to set your dis
# Problematic Features in the OpenSSH Client # Problematic Features in the OpenSSH Client
Some features that are likely to be enabled by by default in the OpenSSH client used by linux distributions:<br/> Some features that are likely to be enabled by by default in the OpenSSH client used by linux distributions:<br/>
### ssh-agent: <br/> ### ssh-agent: <br/>
ssh-agent will try all of your ssh identity keypairs found in $HOME/.ssh/ and any other directory that you configured to store ssh identities. A malicious server can log the identities sent by ssh-agent to uniquely profile a user.<br/> ssh-agent will try all of your ssh identity keypairs found in $HOME/.ssh/ and any other directory that you configured to store ssh identities. A malicious server can log the identities sent by the ssh client to uniquely profile a user.<br/>
### PKCS11Provider: <br/> ### PKCS11Provider: <br/>
Same issue as ssh-agent, but with PKCS11 Identities.<br/> Same issue as ssh-agent, but with PKCS11 Identities.<br/>
### ForwardAgent: <br/> ### ForwardAgent: <br/>
@ -32,10 +32,34 @@ Forwards your local connection to your authentication agent over the ssh tunnel.
Redirects X11 connections over the ssh tunnel. THIS IS DANGEROUS as any remote user that can bypass file restrictions can access your local X11 display! A malicious server or any server operating in a hostile environment can attack your local machine!<br/> Redirects X11 connections over the ssh tunnel. THIS IS DANGEROUS as any remote user that can bypass file restrictions can access your local X11 display! A malicious server or any server operating in a hostile environment can attack your local machine!<br/>
# Mitigations # Mitigations
TODO<br/> ### OpenSSH: <br/>
To disable your OpenSSH client from sending all avaiable pubkeys on your computer and other problematic features, do the following: <br/>
1: Copy and paste the following codeblock at the end of your ssh_config file:
```
Host *
IdentitiesOnly yes
ForwardX11 no
ForwardAgent no
GSSAPIAUthentication no
```
2: Avoid creating the following keys or rename existing ones on the following list: <br/>
```
$HOME/.ssh/identity
$HOME/.ssh/id_rsa
$HOME/.ssh/id_dsa
$HOME/.ssh/id_ecdsa
$HOME/.ssh/id_ed25519
$HOME/.ssh/id_xmss
```
<br/>
Explaination: <br/>
TODO <br/>
# Sources Referenced:
# Page TODO: # Page TODO:
- Explain Thread modeling - Explain Threat modeling
- Link to opsec resources - Link to opsec resources
- Investigate and finish mitigations section - Investigate and finish mitigations section
- Investigate other ssh clients<br/> - Investigate other ssh clients<br/>