Serious security problem with SSH

Ethan Trewhitt April 16, 2014

I have an evaluation Stash instance that has somehow gotten into a state where every user is authenticated as me, regardless of whether they have a valid public key.

I don't know enough about how Stash's SSH server works but I stumbled this page which says that the "whoami" command is available, so I created a fresh repo and logged in from a clean Linux machine:

# ssh -p 8022 git@git-server whoami
ethan

Not only does it allow me to log in (which it shouldn't), the whoami command returns my username.

This is on a completely clean machine - I picked a random Linux computer in the office and ran this command. That machine has an SSH key pair that has never been used in Stash.

Here's what led up to this problem, as far as I can tell...

This problem began when I created a repo Access Key. I then realized I'd rather have a project-level Access Key, so I deleted the repo one and added the same one as a project Access Key. All was well until I made some changes and pushed, only to realize that I shouldn't have been able to push ... but I could. This was in Stash 2.9, so I thought it might have to do with the new "Read" vs. "Read/Write" option in 2.12, so I upgraded to Stash 2.12.

In Stash 2.12, I removed the key and recreated it with explicit "Read" permissions. I could still push. So I deleted the key alltogether and I could STILL push.

I removed all keys from the offending computer and I could still push. Finally I created a fresh repo, switched to an entirely different client computer, and the problem still occurs. Basically my whole GIT server is currently world-writable (within my LAN, at least) due to this problem.

Can I get any help debugging this issue?

2 answers

0 votes
Ethan Trewhitt October 2, 2014

I actually figured out what was happening. My SSH client, SecureCRT, has a checkbox for "Enable OpenSSH agent forwarding" that is selected by default. I only discovered after using "ssh -vvvv" to view debugging details about login that my local instance of Pageant was silently authenticating me via this forwarding mechanism. Thus, this is not a real problem with Stash. I apologize for the false accusations!

0 votes
jhinch (Atlassian)
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 16, 2014

Hi Ethan. would you please create an issue on https://support.atlassian.com. This will allow us to dig into your problem.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events