Connection caching?

John Davidorff Pell johnpell at mac.com
Wed May 5 17:15:00 EST 2004


I agree with you, but in the interests of expanding my own 
understanding, I'm going to play devil's advocate.

If the client is compromised, then the attacker can easily use the 
existing shell channel: by breaking into the ptys, by hijacking the 
process, or by taking control of the actual physical terminal, among 
other ways. Some require advanced attacks, some require strolling over 
to the so-and-so's desk before so-and-so's screen saver picks up. At 
this point, one command can easily add an alternate private-key to the 
remote account, and thus provide outside, unrestricted, unmonitored 
access. One can also issue one command to do immediate damage ("rm -rf 
~ &").

In order to hijack a "cached" connection, one must have (local) shell 
access as user 'foo' (or root), to execute "ssh 
bar at existing.conneciton". In order to hijack an existing, non-cached 
connection, one must have local shell access as user 'foo', to execute 
one of the many tools that can "hijack" a pty. At this point, there is 
little-to-no expectation of security.

The difference? In one case the command is simple and obvious. In the 
other, the attacker must use a command that takes over an existing pty, 
which is sometimes already present on the system.

specifically, I'm thinking of something like GNU Screen or even 
something a little more specific. Something like that is not hard to 
write, especially if we're talking about an insecure client system.

You're advocating security through obscurity. If the attacker does not 
know how to hijack an existing pty, then he/she will likely not be able 
to do any damage on the remote system besides obvious "lets screw with 
foo's files" which he/she can do on the local system anyway. This is 
foo's problem, not the server's. If the "hijacker" can hijack the pty, 
then the server is in a much more vulnerable position and is in the 
same position now as it would be after a 2nd shell "session" over the 
already-authenticated connection.

:-)

JP

On 4 May 2004, at 23:29, Jefferson Ogata wrote:
> It is a reasonable expectation for an admin to be able to say: one 
> successful authentication authorizes only one shell channel.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2426 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040505/47d4ab2d/attachment.bin 


More information about the openssh-unix-dev mailing list