On Sun, Sep 22, 2002 at 01:37:22PM +0200, Iljitsch van Beijnum wrote:
On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
I've seen far too many people get into trouble because they have some flawed thinking that "ssh == always secure", even against compromises of one of the endpoints. If root is available, a reasonable person should ASSUME that some bored individual (like Bandy Rush) has taken 30 seconds and recompiled the ssh binaries with a password logger.
Excellent point. Fortunately, this doesn't apply to running SSH from your laptop over the wireless network.
There are server-origin attacks to consider as well, beyond the more obvious password capture, etc. Consider agent and X11 forwarding, for which we've recently added some discussion to OpenSSH ssh_config(5): ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must be ``yes'' or ``no''. The default is ``no''. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. ForwardX11 Specifies whether X11 connections will be automatically redirect- ed over the secure channel and DISPLAY set. The argument must be ``yes'' or ``no''. The default is ``no''. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.