Re: potential ssh attack

[Barney Wolff <barney () databus com>]

But surely the machine running sshd required some form of authentication
before it was willing to forward packets?  You may not have noticed it,
but entering the passphrase to unlock your private key on your machine
then enabled your ssh to use that private key to authenticate to the
machine running sshd.  If not, the sshd setup is really screwed up.
So it's not just anybody with a copy of ssh that can get service -
you have to be somebody that sshd on the target believes is authorized,
and prove you're you.

In general, if you can authenticate to the sshd machine, you can log
in to it and run anything on it that you're entitled to.  So port
forwarding adds no extra risk.

Barney Wolff  <barney () databus com>

> Date: Wed, 9 Jun 1999 02:49:36 -0400
> From: Matt Dunn <matt () electrocentric com>
>
> Here's the problem. From any machine that can connect to the ssh port (ie. not 
> tcp wrapped or what have you), it would be possible to make a connection to any
> port on the machine using ssh's port forwarding features, routing the 
> authentication throught the attacker's local machine. For example:
>
>       attacker1:#  ssh -R 345:target.machine.com:25 127.0.0.1
>
> The only authentication that happens in this case is that the attacker's local 
> machine asks her for the local account's password, which she more than likely 
> already knows, and the sshd on the target machine merrily begins redirecting 
> requests from this tunnel to its SMTP port, effectively opening that port to some 
> other form of attack which would normally have been blocked by the now 
> bypassed filtering mechanism.