Re: SSH through firewall

["Kevin T. Shivers" <kts () clark net>]

On Fri, 2 Jul 1999, Ginsberg Rainer (QI/INF4) * wrote:

> I'm thinking about allowing users in the trusted network to do ssh through a
> non-transparent application gateway firewall into an untrusted network.
>
> Do you think this is "secure"? I'm not sure because users can tunnel all
> kinds of protocols in ssh. What would be possible attacks?

Of course it's not secure. Any opening in a firewall is insecure, you want
to be secure?  Cut your Internet connection. Oh wait, sorry I'm in rant
mode.:)

I think it's not such a bad thing to do.  I've used it in a transparent
firewall settings and it is *very* nice to have.  the only possible
attacks I can think of would be very hard to pull off, but they could
possibly be done.  For instance, someone could spoof things to make it
look like they were the server that you wanted to go to and then capture
what you type, but the ssh keys would (or at least should) be different so
you should see ssh spit out a nasty message to you user.  At least UNIX
versions of ssh do that.

> Do you think this is feasible with a non-transparent firewall? Do you know 
> a firewall that is capable of this?

Hmmm, this I am not sure about, but I think it may not work.  I will let
other people on this list who know more about this answer definitively,
but here's my shot.

Machines running sshd have an ssh host key associated with that specific
machine, so if your machine inside the firewall is connecting to the
firewall and then to the outside, ssh might go nuts with the ssh key.  If
ssh records the host key of the firewall for each host outside the
firewall, then siteb.com will look just like sitea.com and ssh will pop up
those nasty messages. If it records the external site's ssh key instead,
then everything will work.  At least, I think it will work.  I don't know
how well tunneling stuff like X will work, but I do know it does works
with on our transparent firewall.  I think someone has used ssh with
plug-gw on fwtk, and I know people are using it on Gauntlet (myself
included), but I don't know about any of the other firewalls.  I think
someone might have also made an ssh proxy for fwtk, but i'm not sure,
check fwtk.org for some info if you want.

Anyway, I hope this helped, and take this with a grain of salt.  I don't
want to get yelled at if it turns out I'm wrong. :)

> Rainer

kts

--
Kevin T. Shivers                 NT & UNIX Systems Mutiliator
Shivers Consulting               http://www.clark.net/pub/kts
kts () clark net