Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Wireless insecurity at NANOG meetings

  • From: Kevin Steves
  • Date: Sun Sep 22 18:27:32 2002

On Sun, Sep 22, 2002 at 01:37:22PM +0200, Iljitsch van Beijnum wrote:
> On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
> > I've seen far too many people get into trouble because they have some
> > flawed thinking that "ssh == always secure", even against compromises of
> > one of the endpoints. If root is available, a reasonable person should
> > ASSUME that some bored individual (like Bandy Rush) has taken 30 seconds
> > and recompiled the ssh binaries with a password logger.
> 
> Excellent point. Fortunately, this doesn't apply to running SSH from your
> laptop over the wireless network.

There are server-origin attacks to consider as well, beyond the more
obvious password capture, etc.  Consider agent and X11 forwarding, for
which we've recently added some discussion to OpenSSH ssh_config(5):

     ForwardAgent
             Specifies whether the connection to the authentication agent (if
             any) will be forwarded to the remote machine.  The argument must
             be ``yes'' or ``no''. The default is ``no''.

             Agent forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             agent's Unix-domain socket) can access the local agent through
             the forwarded connection.  An attacker cannot obtain key material
             from the agent, however they can perform operations on the keys
             that enable them to authenticate using the identities loaded into
             the agent.

     ForwardX11
             Specifies whether X11 connections will be automatically redirect-
             ed over the secure channel and DISPLAY set.  The argument must be
             ``yes'' or ``no''. The default is ``no''.

             X11 forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             user's X authorization database) can access the local X11 display
             through the forwarded connection.  An attacker may then be able
             to perform activities such as keystroke monitoring.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.