Firewall Wizards mailing list archives
Re: ssh holes? Trojans?
From: John Ladwig <jladwig () aravox com>
Date: Wed, 20 Sep 2000 21:45:48 -0500 (CDT)
[ I'll leave aside discussion of the merits of MiTM-SSH, and instead pass along a little real-world anecdote... ]
On Mon, 18 Sep 2000 15:28:29 -0700 (PDT), Gregory Hicks <ghicks () cadence com> said:
Gregory> After hearing from another source (an employee discussed Gregory> our 'new' policy with their SO at home), we 'heard' that Gregory> there are ssh 'trojans'... Any truth to the rumor? I Gregory> haven't been able to find any info on this. During the course of an intrusion investigation in a prior life, I witnessed intruder trojaning of both SSH clients and servers. It was only a few extra lines on the SSH Inc codebase. The implementation basically created a logfile of local_host:remote_host:username:password tuples. Very effective, economical and precise, compared with your average password-sniffer logfile. If you can successfully install a trojaned ssh client on, say, a major shell-access ISP and get lucky and have it go undetected, you can catch a *lot* of interesting fish. Disallowing tunneled passwords would defeat this particular attack, though the key-based alternative instead swings the vulnerable point to the passphrase protecting an identity private keyfile (we know how good most passphrases are), and locks out those whose clients can't use the key-based authentication mechanism. That said, it limits the harvesting potential somewhat; its value depends on your threat model. At the risk of introducing unbearable (really - just ask them... no, wait, they'll tell you soon enough) pain to your non-geek userbase, you could go for OpenSSH's one-time-password authentication option inside the tunnel. Pick your poison. -jml _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- ssh holes? Trojans? Gregory Hicks (Sep 19)
- Re: ssh holes? Trojans? John Ladwig (Sep 22)
- <Possible follow-ups>
- RE: ssh holes? Trojans? sean . kelly (Sep 22)
- RE: ssh holes? Trojans? Paul D. Robertson (Sep 22)