Snoopable SSH? (was RE: SUNWski)

Rip Loomis loomisg at cist.saic.com
Wed Jul 26 00:57:34 EST 2000


David--
The original "snoop" output that you provided
sure does look to me as though you're using
SSH...but only *after* you've telnetted.

It looks as though this is the sequence of
events:

1.  Telnet from your local system to "machineA"
2.  Once logged into "machineA", run "ssh2 machineB"
	to secure shell to "machineB".

The problem with the above configuration is that
the communications between machineA and machineB
are being properly protected by ssh, but your
password can still be sniffed over the telnet
connection (between your local system and "machineA").
There's no way we should be able to see the
keystrokes for the "ssh2 machineB" through
snoop if it was being done locally on "machineA".

Try sitting down at the console of "machineA"
and running the same command with snoop going.
Let us know if you can still sniff your password.
If you're already sitting at the console of
"machineA", then please provide us a *complete*
description of all the systems involved--OS version,
SSH version, exactly what systems are connected
to what others, etc.

I've got OpenSSH compiled and installed on
several Solaris systems here and haven't been
able to sniff any of the traffic--as designed.

Hope this helps--

	--Rip

-----Original Message-----
From: owner-openssh-unix-dev at mindrot.org
[mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Higdon, David M
- CNF
Sent: Tuesday, July 25, 2000 10:35 AM
To: 'Ricardo Cerqueira'; openssh-unix-dev at mindrot.org
Subject: RE: SUNWski


It clearly shows that I have used the ssh command!
I am not using telnet. That is why I have such a
concern.

It only shows this type of output from when I run
the snoop command from a system that has ssh installed.

host1 -> host2    TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384
host2 -> host1    TCP D=4404 S=22 Rst Ack=3951258971 Win=0


-David


-----Original Message-----
From: Ricardo Cerqueira [mailto:rmcc at novis.pt]
Sent: Tuesday, July 25, 2000 4:10 AM
To: openssh-unix-dev at mindrot.org
Subject: Re: SUNWski


On Tue, Jul 25, 2000 at 12:36:17PM +1000, Damien Miller wrote:
> On Mon, 24 Jul 2000, Higdon, David M - CNF wrote:
>
> >
> > By running the snoop utility that comes with the Solaris
> > OS.
> >
> > Here is the output from running snoop
> >
> > Snoop is running on a third system that does not have ssh
> > installed.
> >
> > I am trying to ssh from machine A to machine B
>
> It looks like you have telnetted to machine A from hostname.xxx.com!
> This traffic is going across your net in the clear.

Right. He's using Telnet, and not SSH.
snoop should show something like this:

host1 -> host2    TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384
host2 -> host1    TCP D=4404 S=22 Rst Ack=3951258971 Win=0

RC

>
> -d
>
> >
> > from machine C
> >
> > # snoop machine A
> >     machine A -> hostname.xxx.com TELNET C port=38920 s
> > hostname.xxx.com -> machine A     TELNET R port=38920 s
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 s
> > hostname.xxx.com -> machine A     TELNET R port=38920 s
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 h
> > hostname.xxx.com -> machine A     TELNET R port=38920 h
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 2
> > hostname.xxx.com -> machine A     TELNET R port=38920 2
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 m
> > hostname.xxx.com -> machine A     TELNET R port=38920 m
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 a
> > hostname.xxx.com -> machine A     TELNET R port=38920 a
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 c
> > hostname.xxx.com -> machine A     TELNET R port=38920 c
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 h
> > hostname.xxx.com -> machine A     TELNET R port=38920 h
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 i
> > hostname.xxx.com -> machine A     TELNET R port=38920 i
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 n
> > hostname.xxx.com -> machine A     TELNET R port=38920 n
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 e
> > hostname.xxx.com -> machine A     TELNET R port=38920 e
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 B
> > hostname.xxx.com -> machine A     TELNET R port=38920 B
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920
> > hostname.xxx.com -> machine A     TELNET R port=38920 Passphrase for key
"
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 m
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 o
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 n
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 g
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 0
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 0
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 s
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920 e
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920
> > hostname.xxx.com -> machine A     TELNET R port=38920
> >     machine A -> hostname.xxx.com TELNET C port=38920
> > hostname.xxx.com -> machine A     TELNET R port=38920 Authentication
succe
> >     machine A -> hostname.xxx.com TELNET C port=38920
> > hostname.xxx.com -> machine A     TELNET R port=38920 Last login: Tue
Jul
> >     machine A -> hostname.xxx.com TELNET C port=38920
> > hostname.xxx.com -> machine A     TELNET R port=38920 Sun Microsystems
Inc
> >     machine A -> hostname.xxx.com TELNET C port=38920
> >
> >
> > -David
> >
> > -----Original Message-----
> > From: Damien Miller [mailto:djm at mindrot.org]
> > Sent: Monday, July 24, 2000 4:47 PM
> > To: Higdon.David at cnf.com
> > Cc: 'Markus Friedl'; 'Brian Friday'; 'openssh-unix-dev at mindrot.org';
> > openssh at openssh.com
> > Subject: RE: SUNWski
> >
> >
> > On Mon, 23 Jul 2000, Higdon, David M - CNF wrote:
> >
> > How do you see the login and password in the clear? Can you send a log
> > of such an event?
> >
> > >
> > > solaris 2.8
> > > openssh 2.1.1p4
> > > openssl 0.0.5a
> > > zlib 1.1.3
> > > SUNWski
> > >
> > >
> > > - David
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de]
> > > Sent: Sunday, July 23, 2000 7:10 AM
> > > To: Higdon, David M - CNF
> > > Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org';
openssh at openssh.com
> > > Subject: Re: SUNWski
> > >
> > >
> > > On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote:
> > > > What happens when you run snoop on the system
> > > > that you ssh from? Can you see your input in
> > > > clear text? Because I can!
> > >
> > > could you please show me? what versions of ssh are you using?
> > >
> > >
> >
> >
>
> --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
>
>
>
>

--
+-------------------
| Ricardo Cerqueira
| PGP Key fingerprint  -  B7 05 13 CE 48 0A BF 1E  87 21 83 DB 28 DE 03 42
| Novis  -  Engenharia ISP / Rede Técnica
| Pç. Duque Saldanha, 1, 7º E / 1050-094 Lisboa / Portugal
| Tel: +351 21 3166700 (24h/dia) - Fax: +351 21 3166701








More information about the openssh-unix-dev mailing list