Firewall Wizards mailing list archives
RE: What's the deal with SSH? (was: PIX software release 5.2)
From: Jeffery.Gieser () minnesotamutual com
Date: Tue, 26 Sep 2000 09:57:11 -0500
Rob, #Does this mean that if a box is compromised the traffic can still be #monitored? #Say users are accessing a *nix box via sshd/ssh (opensource version). If #the box is compromised but the attacker does not have root access, is it #possible for the attacker to snoop the traffic between a user running as #root via ssh? #I was of the understanding that the total session was encrypted. Still that #was assumed - ass (of) u (and) me You are correct. The SESSION is encrypted. If I hack a UNIX SSH server and run tcpdump from that server to intercept the session then I will see only encrypted packets. If I have root on a UNIX SSH server then I can look at the .history file of the admin remotely connected to the box to see what commands he is issueing or anything else I can do on a UNIX box to monitor a user. These work fine because what the remote user is doing is decrypted when it reaches the SSH server. Otherwise, the server whould be wondering where is the jdasd;hgjoa;ghiof;d command (translation more /etc/named.comf) =) Regards, Jeffery Gieser _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: What's the deal with SSH? (was: PIX software release 5.2) Jeffery . Gieser (Sep 26)