Security implications of using ControlMaster
Konrad Bucheli
kb at open.ch
Tue Jan 21 01:13:20 AEDT 2020
Dear Mailing List
We are using a ControlMaster with a short ControlPersist to access the
bastion host which then gives access to customer hosts.
Our Information Security Manager would like to disallow the
ControlMaster. His attack scenario is an admin workstation with a
compromised root account. An attacker can then use the ControlMaster to
trivially get shell access on the bastion host without authentication
when the actual admin user has an open SSH connection.
My argument is that there is too little security gain for the loss of
convenience. If the attacker is root on the admin workstation, he has
other means, like exchanging the SSH binary to silently drop some
payload after connecting to the target or doing something similar by
using the TTY file used by the shell which runs ssh (like "ECHO OFF, do
your stuff, ECHO ON").
What is your opinion?
Kind regards
Konrad
--
Konrad Bucheli
Principal Systems Engineer
O. +41 58 100 10 10
W. open-systems.com
Open Systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4822 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200120/e6cc295c/attachment.p7s>
More information about the openssh-unix-dev
mailing list