Security implications of using ControlMaster
Nico Schottelius
nico.schottelius at ungleich.ch
Tue Jan 21 01:37:10 AEDT 2020
Hey Konrad,
if the box is root compromised, anything you do on it is untrusted.
So you cannot use ssh or even type in any password into any of the
existing tool without likely leaking it to the attacker. She could even
have patched the (g)libc to forward input, so even a correct ssh binary
doesn't ensure your data is not compromised.
So disabling ControlMaster does not fix the problem your SM described.
Cheers,
Nico
Konrad Bucheli <kb at open.ch> writes:
> Dear Mailing List
>
> We are using a ControlMaster with a short ControlPersist to access the
> bastion host which then gives access to customer hosts.
>
> Our Information Security Manager would like to disallow the
> ControlMaster. His attack scenario is an admin workstation with a
> compromised root account. An attacker can then use the ControlMaster to
> trivially get shell access on the bastion host without authentication
> when the actual admin user has an open SSH connection.
>
> My argument is that there is too little security gain for the loss of
> convenience. If the attacker is root on the admin workstation, he has
> other means, like exchanging the SSH binary to silently drop some
> payload after connecting to the target or doing something similar by
> using the TTY file used by the shell which runs ssh (like "ECHO OFF, do
> your stuff, ECHO ON").
>
> What is your opinion?
>
> Kind regards
>
> Konrad
--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
More information about the openssh-unix-dev
mailing list