Re: ssh holes? Trojans?

[John Ladwig <jladwig () aravox com>]

[ I'll leave aside discussion of the merits  of MiTM-SSH, and instead
  pass along a little real-world anecdote...
]

> > > > > On Mon, 18 Sep 2000 15:28:29 -0700 (PDT), Gregory Hicks <ghicks () cadence com> said:


    Gregory> After hearing from another source (an employee discussed
    Gregory> our 'new' policy with their SO at home), we 'heard' that
    Gregory> there are ssh 'trojans'...  Any truth to the rumor?  I
    Gregory> haven't been able to find any info on this.

During the course of an intrusion investigation in a prior life, I
witnessed intruder trojaning of both SSH clients and servers.  It was
only a few extra lines on the SSH Inc codebase.  The implementation
basically created a logfile of
local_host:remote_host:username:password tuples.  Very effective,
economical and precise, compared with your average password-sniffer
logfile.  If you can successfully install a trojaned ssh client on,
say, a major shell-access ISP and get lucky and have it go undetected,
you can catch a *lot* of interesting fish.


Disallowing tunneled passwords would defeat this particular attack,
though the key-based alternative instead swings the vulnerable point
to the passphrase protecting an identity private keyfile (we know how
good most passphrases are), and locks out those whose clients can't
use the key-based authentication mechanism.  That said, it limits the
harvesting potential somewhat; its value depends on your threat model.
At the risk of introducing unbearable (really - just ask them...  no,
wait, they'll tell you soon enough) pain to your non-geek userbase,
you could go for OpenSSH's one-time-password authentication option
inside the tunnel.

Pick your poison.

    -jml

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards