Security implications of using ControlMaster

Damien Miller djm at
Tue Jan 21 11:08:51 AEDT 2020

On Mon, 20 Jan 2020, Konrad Bucheli wrote:

> Dear Mailing List
> We are using a ControlMaster with a short ControlPersist to access the bastion
> host which then gives access to customer hosts.
> Our Information Security Manager would like to disallow the ControlMaster. His
> attack scenario is an admin workstation with a compromised root account. An
> attacker can then use the ControlMaster to trivially get shell access on the
> bastion host without authentication when the actual admin user has an open SSH
> connection.
> My argument is that there is too little security gain for the loss of
> convenience. If the attacker is root on the admin workstation, he has other
> means, like exchanging the SSH binary to silently drop some payload after
> connecting to the target or doing something similar by using the TTY file used
> by the shell which runs ssh (like "ECHO OFF, do your stuff, ECHO ON").
> What is your opinion?

If the attacker has access to the origin machine then they have already
won. Options for exploitation include stealing local keys or use of the
agent, replacing or $PATH substituting the ssh executable, ptracing a
running ssh process to open additional sessions (metlstorm's sshjack
tool) and probably a bunch more that I'm not sufficiently imaginative to
think of.

So IMO disallowing session multiplexing is at most a speedbump that an
attacker will cross with relative ease. Speedbumps make sense sometimes,
but they must be weighed against their inconvenience.


More information about the openssh-unix-dev mailing list