RE: What's the deal with SSH? (was: PIX software release 5.2)

[Jeffery.Gieser () minnesotamutual com]

Rob,

#Does this mean that if a box is compromised the traffic can still be
#monitored?

#Say users are accessing a *nix box via sshd/ssh (opensource version).  If
#the box is compromised but the attacker does not have root access, is it
#possible for the attacker to snoop the traffic between a user running as
#root via ssh?

#I was of the understanding that the total session was encrypted.  Still
that
#was assumed - ass (of) u (and) me

     You are correct.  The SESSION is encrypted.  If I hack a UNIX SSH
server and run tcpdump from that server to intercept the session then I
will see only encrypted packets.  If I have root on a UNIX SSH server then
I can look at the .history file of the admin remotely connected to the box
to see what commands he is issueing or anything else I can do on a UNIX box
to monitor a user.  These work fine because what the remote user is doing
is decrypted when it reaches the SSH server.  Otherwise, the server whould
be wondering where is the jdasd;hgjoa;ghiof;d command (translation more
/etc/named.comf) =)

Regards,
Jeffery Gieser


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards