Re: ssh and hosts.allow; purpose of ssh

• Previous message: nickd@nospam.demon.co.uk: "Re: ssh and hosts.allow; purpose of ssh"
• In reply to: Richard E. Silverman: "Re: ssh and hosts.allow; purpose of ssh"
• Next in thread: Pierre Asselin: "Re: ssh and hosts.allow; purpose of ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: nickd@nospam.demon.co.uk
Date: Fri, 21 Dec 2001 17:34:18 GMT

Richard E. Silverman <slade@shore.net> wrote:
>>>>>> "nickd" == nickd <nickd@nospam.demon.co.uk> writes:
>
> nickd> IP address faking is definitely non-trivial, so restricting
> nickd> access based on source IP is definitely a win.
>
> In many common scenarios, it is *entirely* trivial. Example: you are
> accessing the SSH server from a home cable modem connection. You are on
> the same IP subnet / broadcast segment with everyone on your block,
> including the script kiddie down the street. He can see all your traffic
> using nothing more sophisticated than tcpdump.

I know this is a bit off-topic, but I'd rather not crosspost to somewhere
else, but in cable modem situations can he see *all* your traffic? The
worst I'd heard of, but in the UK, is seeing arp requests.

> He observes that you log into this particular SSH server in the evening,
> and notes the source and destination IP addresses. During the day, when
> your machine is quiet or turned off and will not interfere (and relevant
> ARP cache entries, if any have timed out), he simply sets his machine to
> use your IP address (nothing more complicated than one "ifconfig" command
> here), and connects.

Are cable modem, er, concentrators, usually that easy to deceive? I would
have thought / hoped the IP addresses would be hardwired to a cable modem.

> This will work just fine, since he's on the same subnet with you; there
> are no routing problems.

Fair point.

> If he is elsewhere in the network, then he may have to subvert some number
> of routers --

Surely he *will* have to rather than *may* have to, and you make it sound so
simple :) Even after compromising all these routers, he's got to convince
all those routers that 1.1.1.2 is wherever he's connected to, whereas
everything else in 1.1.1.0/24 goes towards whatever it usually goes to.

I doubt you can achieve such a feat without setting off all sorts of network
monitors, though I'd be interested to hear otherwise. Maybe I am being
naive, I recall reading about "dark" IP space recently.

> or merely break into *one* machine on your subnet to do exactly the same
> as above.

Bah, now that's not IP fakery, that's just breaking into your hosts.

> In a network you do not control, IP addresses provide *no* real origin
> authentication. None.

They don't provide absolute proof ( oh to be back in the days when the
r-services were a good idea ) but IMHO they're a good indication of where a
packet really came from, if not a perfect one.

> nickd> Its buying him extra security, because then the daemon is less
> nickd> vulnerable to the kind of exploits that have affected ssh
> nickd> recently.
>
> Given the ease of subverting this sort of restriction, I don't think it's
> worth it relative to the annoyance and damage to the usefulness of the
> system.

Given the difficulty of subverting this sort of restriction, I still think
its worth it :) I worry about your neighbourhood though Richard, you got a
cable modem in Silicon Valley and some dangerous neighbours?

> Again, in other situations (with closed networks and known account/host
> assocations), it could be appropriate.

-- 
"Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
 comes to doing anything technical, such as setting a clock."

• Next message: Roger: "SSH File Transfers"
• Previous message: nickd@nospam.demon.co.uk: "Re: ssh and hosts.allow; purpose of ssh"
• In reply to: Richard E. Silverman: "Re: ssh and hosts.allow; purpose of ssh"
• Next in thread: Pierre Asselin: "Re: ssh and hosts.allow; purpose of ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]