Firewall Wizards mailing list archives
Re: SSH through firewall
From: "Kevin T. Shivers" <kts () clark net>
Date: Mon, 5 Jul 1999 23:12:29 -0400 (EDT)
On Fri, 2 Jul 1999, Ginsberg Rainer (QI/INF4) * wrote:
I'm thinking about allowing users in the trusted network to do ssh through a non-transparent application gateway firewall into an untrusted network. Do you think this is "secure"? I'm not sure because users can tunnel all kinds of protocols in ssh. What would be possible attacks?
Of course it's not secure. Any opening in a firewall is insecure, you want to be secure? Cut your Internet connection. Oh wait, sorry I'm in rant mode.:) I think it's not such a bad thing to do. I've used it in a transparent firewall settings and it is *very* nice to have. the only possible attacks I can think of would be very hard to pull off, but they could possibly be done. For instance, someone could spoof things to make it look like they were the server that you wanted to go to and then capture what you type, but the ssh keys would (or at least should) be different so you should see ssh spit out a nasty message to you user. At least UNIX versions of ssh do that.
Do you think this is feasible with a non-transparent firewall? Do you know a firewall that is capable of this?
Hmmm, this I am not sure about, but I think it may not work. I will let other people on this list who know more about this answer definitively, but here's my shot. Machines running sshd have an ssh host key associated with that specific machine, so if your machine inside the firewall is connecting to the firewall and then to the outside, ssh might go nuts with the ssh key. If ssh records the host key of the firewall for each host outside the firewall, then siteb.com will look just like sitea.com and ssh will pop up those nasty messages. If it records the external site's ssh key instead, then everything will work. At least, I think it will work. I don't know how well tunneling stuff like X will work, but I do know it does works with on our transparent firewall. I think someone has used ssh with plug-gw on fwtk, and I know people are using it on Gauntlet (myself included), but I don't know about any of the other firewalls. I think someone might have also made an ssh proxy for fwtk, but i'm not sure, check fwtk.org for some info if you want. Anyway, I hope this helped, and take this with a grain of salt. I don't want to get yelled at if it turns out I'm wrong. :)
Rainer
kts -- Kevin T. Shivers NT & UNIX Systems Mutiliator Shivers Consulting http://www.clark.net/pub/kts kts () clark net
Current thread:
- SSH through firewall Ginsberg Rainer (QI/INF4) * (Jul 05)
- Re: SSH through firewall James Neal - HandiCAT (Jul 06)
- Re: SSH through firewall Kevin T. Shivers (Jul 06)
- Re: SSH through firewall Aaron D. Turner (Jul 08)
- Re: SSH through firewall Kevin Steves (Jul 12)