Connection caching?
Ben Lindstrom
mouring at etoh.eviladmin.org
Tue May 4 12:13:03 EST 2004
On Mon, 3 May 2004, Jefferson Ogata wrote:
> Damien Miller wrote:
> > Jefferson Ogata wrote:
> >>My previous comment was poorly worded. I understand from other postings
> >>that the server has the capability for multiple sessions. I'm saying
> >>please provide a server option to disable that. Are you saying there
> >>exists such an option?
> >
> > No such option exists, unless you include "Protocol=1" :)
> >
> > I don't think an option makes sense anyway. If you have the ability
> > to compromise a client, then you can execute such an attack right now.
>
> I don't know what you mean. If the client doesn't support the option,
> all you can do is take over an existing session -- say, via ptrace or
> pty hijacking -- and this would be difficult to pull off in general,
> especially undetected. In any case, this is a totally different attack
> that can be mitigated in other ways.
>
What stops it from happening now? Net::SSH supports it, and Windows
SSH clients support it. Because the server supports you may be at
risk no matter if OpenSSH's client supports it or not.
I mean honestly.. =) Has this never cross your mind before that a user on
a Windows box or a self-owned UNIX box could be doing this? The world is
not made up of OpenSSH clients only. =) I hate to rain on all our dreams,
but that is the reality of the matter.
Besides, as what Damien stated this is all academic until someone writes a
patch to support this feature.
- Ben
More information about the openssh-unix-dev
mailing list