Firewall Wizards mailing list archives
Re: ssh holes? Trojans? [long]
From: Magosányi Árpád <mag () bunuel tii matav hu>
Date: Tue, 26 Sep 2000 14:09:26 +0200
A levelezőm azt hiszi, hogy Ben Nagy a következőeket írta:
Actually I have seen such an implementation working. It was written by bazsi () balabit hu for a never published firewall product, based on lsh.OK, you're scaring me. If you've seen a working implementation of a product that can do SSH MitM without a compromised client and allowing cleartext monitoring of the traffic that's a *serious* flaw in the protocol. I don't mean to sound sceptical, but are you_sure_ that's what you're saying? Someone call the IETF! ;)
Calm down. It did change the keys on the fly, which means that the user had to enable agent forwarding to use RSA authentication, and the ssh key on the server wasn't the same as the one told by the firewall. As far I can remember, the proxy even sent debug log to the client about doing the key exchange. Yes, it is still a bit scary. Its legitimate use shall be backed up by a security policy stating that every traffic is monitored. But there are cases where it is okay, at least from the orgaisation's standpoint. It is better than disable ssh because it cannot be monitored (I have heard of such cases, do not laugh). -- GNU GPL: csak tiszta forrásból _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: ssh holes? Trojans? [long] Ben Nagy (Sep 20)
- Re: ssh holes? Trojans? [long] Magosányi Árpád (Sep 22)
- Re: ssh holes? Trojans? [long] Robert Collins (Sep 22)
- <Possible follow-ups>
- RE: ssh holes? Trojans? [long] Ben Nagy (Sep 25)
- Re: ssh holes? Trojans? [long] Magosányi Árpád (Sep 26)
- RE: ssh holes? Trojans? [long] sean . kelly (Sep 25)
- RE: ssh holes? Trojans? [long] Ben Nagy (Sep 26)