Connection caching?

[Ben Lindstrom]

On Mon, 3 May 2004, Jefferson Ogata wrote:

> Damien Miller wrote:
> > Jefferson Ogata wrote:
> >>My previous comment was poorly worded. I understand from other postings
> >>that the server has the capability for multiple sessions. I'm saying
> >>please provide a server option to disable that. Are you saying there
> >>exists such an option?
> >
> > No such option exists, unless you include "Protocol=1" :)
> >
> > I don't think an option makes sense anyway. If you have the ability
> > to compromise a client, then you can execute such an attack right now.
>
> I don't know what you mean. If the client doesn't support the option,
> all you can do is take over an existing session -- say, via ptrace or
> pty hijacking -- and this would be difficult to pull off in general,
> especially undetected. In any case, this is a totally different attack
> that can be mitigated in other ways.
>

What stops it from happening now?  Net::SSH supports it, and Windows
SSH clients support it.  Because the server supports you may be at
risk no matter if OpenSSH's client supports it or not.

I mean honestly.. =) Has this never cross your mind before that a user on
a Windows box or a self-owned UNIX box could be doing this?  The world is
not made up of OpenSSH clients only. =)  I hate to rain on all our dreams,
but that is the reality of the matter.

Besides, as what Damien stated this is all academic until someone writes a
patch to support this feature.

- Ben