Security implications of using ControlMaster

Konrad Bucheli kb at
Tue Jan 21 01:13:20 AEDT 2020

Dear Mailing List

We are using a ControlMaster with a short ControlPersist to access the 
bastion host which then gives access to customer hosts.

Our Information Security Manager would like to disallow the 
ControlMaster. His attack scenario is an admin workstation with a 
compromised root account. An attacker can then use the ControlMaster to 
trivially get shell access on the bastion host without authentication 
when the actual admin user has an open SSH connection.

My argument is that there is too little security gain for the loss of 
convenience. If the attacker is root on the admin workstation, he has 
other means, like exchanging the SSH binary to silently drop some 
payload after connecting to the target or doing something similar by 
using the TTY file used by the shell which runs ssh (like "ECHO OFF, do 
your stuff, ECHO ON").

What is your opinion?

Kind regards


Konrad Bucheli
Principal Systems Engineer

O.  +41 58 100 10 10

Open Systems

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4822 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssh-unix-dev mailing list