Security implications of using ControlMaster

Harald Wagener wagener at
Tue Jan 21 18:26:09 AEDT 2020

Stephen Harris <lists at> schrieb am Di., 21. Jan. 2020, 02:39:

> On Tue, Jan 21, 2020 at 12:18:52PM +1100, Damien Miller wrote:
> > I wouldn't say it's a lot harder to take control of current connections -
> > writing a ptrace-based tool that hijacked a running ssh client and
> > injected a one-off implant payload via keystrokes doesn't seem like
> > much work.
> * Injection of key strokes into an existing channel may be detected
>   just because "hey, I didn't type foobar" so why is it on my screen.
>   A new shell on a different channel won't show so obviously.

`~.` is a nice keystroke sequence to inject because it disconnects the
session and you will likely not even see the input on screen.

An unsuspecting victim would assume a network glitch and reconnect,
yielding a new (and controllable by the attacker) session.


PS this is veering offtopic, but a simple `Ctrl-C Ctrl-D` might be even
less suspicious. Combine this with `Ctrl-S` and `Ctrl-Q` and unless you
have full input stream logging you will have a lot of opportunities of
messing with existing connections unnoticed.

More information about the openssh-unix-dev mailing list