Re: ssh holes? Trojans? [long]

[Magosányi Árpád <mag () bunuel tii matav hu>]

A levelezőm azt hiszi, hogy Ben Nagy a következőeket írta:
> > Actually I have seen such an implementation working. It was
> > written by
> > bazsi () balabit hu for a never published firewall product, based on lsh.
>
> OK, you're scaring me. If you've seen a working implementation of a product
> that can do SSH MitM without a compromised client and allowing cleartext
> monitoring of the traffic that's a *serious* flaw in the protocol.
>
> I don't mean to sound sceptical, but are you_sure_ that's what you're
> saying?
>
> Someone call the IETF! ;)

Calm down. It did change the keys on the fly, which means that the user
had to enable agent forwarding to use RSA authentication, and the
ssh key on the server wasn't the same as the one told by the firewall.
As far I can remember, the proxy even sent debug log to the client
about doing the key exchange. 

Yes, it is still a bit scary. Its legitimate use shall be backed up
by a security policy stating that every traffic is monitored. But there
are cases where it is okay, at least from the orgaisation's standpoint. 
It is better than disable ssh because it cannot be monitored (I have heard
of such cases, do not laugh).

-- 
GNU GPL: csak tiszta forrásból

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards