Re: Securing ssh tunnels.
From: Brian Hatch (secure-shell_at_ifokr.org)
Date: 06/27/03
- Previous message: jhidalgo: "RE: Second instance if SSH not running"
- In reply to: Markus Friedl: "Re: Securing ssh tunnels."
- Next in thread: Roy S. Rapoport: "Re: Securing ssh tunnels."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Jun 2003 11:42:19 -0700 To: Markus Friedl <markus@openbsd.org>
> but even if you have a ssh mitm-proxy, you still can do this:
>
> ssh \
> -o proxycommand="ssh -p %p %h sshd -i -h $HOME/.ssh/hostkey -f /dev/null" \
...
Of course. However you've prevented the easiest method. Such a proxy
will still stop
* a non-savvy employee or cracker who wants to tunnel
* an uneducated employee who's .ssh/config has permissive modes
(X11, agent) and doesn't need them or know about it
And, since you do have access to the outer SSH transmission in
cleartext, you would be able to see if they're tunneling something
inside it and use the correct means to correct the problem: fire
the employee.
-- Brian Hatch Cat. The other white meat. Systems and Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
- application/pgp-signature attachment: stored
- Previous message: jhidalgo: "RE: Second instance if SSH not running"
- In reply to: Markus Friedl: "Re: Securing ssh tunnels."
- Next in thread: Roy S. Rapoport: "Re: Securing ssh tunnels."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
