3057 – Fork-bomb when misconfiguring a host to ProxyJump onto itself

Bug 3057 - Fork-bomb when misconfiguring a host to ProxyJump onto itself

Summary: Fork-bomb when misconfiguring a host to ProxyJump onto itself

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	7.9p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Duplicates (1):	3107 (view as bug list)
Depends on:
Blocks:	V_8_3
	Show dependency tree / graph

Reported:	2019-08-14 18:14 AEST by Andrej Kacian
Modified:	2021-10-14 01:40 AEDT (History)
CC List:	5 users (show)

See Also:

Attachments
Detect simple proxyjump loops (1.00 KB, patch) 2020-02-18 19:53 AEDT, Darren Tucker	no flags	Details \| Diff
Also check jumphost user (1.38 KB, patch) 2020-07-31 13:52 AEST, Darren Tucker	djm: ok+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrej Kacian 2019-08-14 18:14:20 AEST

Following configuration causes ssh to spawn endless copies of itself when user tries to connect to the specified host.

Host foo
ProxyJump foo

# or more generic
Host *
ProxyJump %h

I have reproduced this on 7.9p1 on Suse Linux Enterprise Server 15 and on 7.4p1 on Debian Stretch (currently oldstable).

Depending on limits configured on the server, this, like any other forkbomb, can cause all kinds of fun behavior on the local server.

Perhaps the client could check for this edge case and avoid trying to make an impossible proxy connection.

Comment 1 petoju 2019-12-21 21:28:33 AEDT

*** Bug 3107 has been marked as a duplicate of this bug. ***

Comment 2 Darren Tucker 2020-02-18 19:53:37 AEDT

Created attachment 3356 [details]
Detect simple proxyjump loops

We have just committed the follow patch which should address this issue (at least for the simple case) and will be in the 8.3 release.  Thanks for the report.

Comment 3 woodwardj 2020-07-30 06:05:35 AEST

Shouldn't this check also verify it is not the same user? I often use -J <un-privileged-user>@<same host> <privileged-user>@<same host>.

Comment 4 Darren Tucker 2020-07-31 13:52:43 AEST

Created attachment 3436 [details]
Also check jumphost user

I hadn't considered that use case but we could do that too.

Comment 5 Darren Tucker 2020-07-31 14:20:35 AEST

Patch applied, thanks.  It will be in the 8.4 release.

Comment 6 Damien Miller 2021-04-23 15:01:28 AEST

closing resolved bugs as of 8.6p1 release

Comment 7 Ahmed Sayeed 2021-10-14 01:40:31 AEDT

[spam removed]