Connection caching?

Ben Lindstrom mouring at etoh.eviladmin.org
Thu May 6 02:24:44 EST 2004



On Wed, 5 May 2004, Jefferson Ogata wrote:

> Ben Lindstrom wrote:
> > On Wed, 5 May 2004, Jefferson Ogata wrote:
> >>Now you add connection caching, and the compromise is no longer contained. If
> >>the user is legitimately logged from the gateway into the secure system, the
> >>intruder can now log in to the secure system, as many times as he likes.
> >
> > I think Damien/Markus would agree when I say that the user would have to
> > enable such a thing for it to be used.  Either via a ssh_config or via
> > a commandline option.  Much like how X11 sessions are.
> >
> > Why would a user do such a thing on a machine as you describe?  What gain
> > do they get?  I see none.
>
> No doubt the lazy user /would/ enable such a thing. The control needs to be on
> the server side.
>

Praytell... If the /home is RO.. they don't have a ssh_config or it is
predefined for them.. How is:

ssh -G somesite.com

or worse:

ssh '-o AllowMultipleChannels yes' somesite.com

is easier than just typing:

ssh somesite.com


Still my oritinal point stands from a few messages ago.. NOTHING stops
this from happening now from a client other than ours.  Yet you don't
seem to care about that fact... Only after we commented that "someday
this would be a nice feature" did you start...

If you want the feature.. Pony up the code so we have something physical
to discuss and test against other SSH clients for breakage.  Until then I
think we are going in circles.

- Ben




More information about the openssh-unix-dev mailing list