Firewall Wizards mailing list archives
Re: potential ssh attack
From: Barney Wolff <barney () databus com>
Date: Fri, 11 Jun 1999 22:33 EDT
But surely the machine running sshd required some form of authentication before it was willing to forward packets? You may not have noticed it, but entering the passphrase to unlock your private key on your machine then enabled your ssh to use that private key to authenticate to the machine running sshd. If not, the sshd setup is really screwed up. So it's not just anybody with a copy of ssh that can get service - you have to be somebody that sshd on the target believes is authorized, and prove you're you. In general, if you can authenticate to the sshd machine, you can log in to it and run anything on it that you're entitled to. So port forwarding adds no extra risk. Barney Wolff <barney () databus com>
Date: Wed, 9 Jun 1999 02:49:36 -0400 From: Matt Dunn <matt () electrocentric com> Here's the problem. From any machine that can connect to the ssh port (ie. not tcp wrapped or what have you), it would be possible to make a connection to any port on the machine using ssh's port forwarding features, routing the authentication throught the attacker's local machine. For example: attacker1:# ssh -R 345:target.machine.com:25 127.0.0.1 The only authentication that happens in this case is that the attacker's local machine asks her for the local account's password, which she more than likely already knows, and the sshd on the target machine merrily begins redirecting requests from this tunnel to its SMTP port, effectively opening that port to some other form of attack which would normally have been blocked by the now bypassed filtering mechanism.
Current thread:
- potential ssh attack Matt Dunn (Jun 14)
- Re: potential ssh attack Michael Barkett (Jun 15)
- Re: potential ssh attack Ge' Weijers (Jun 15)
- <Possible follow-ups>
- Re: potential ssh attack Barney Wolff (Jun 15)