Thanks everybody for the discussion. It's set me straight on a few issues ;) Regards, Matt (yet another one, I guess...)
Matthew Palmer wrote:
On Mon, Dec 27, 2004 at 10:22:18PM +1100, Indelible wrote:
A while ago somebody mentioned in a talk that it was a really bad idea to log into a machine via ssh and from there log into another machine using ssh.
I don't get it. Why is this bad?
Several possible reasons (some as mlh has already pointed out):
1) If you use a password to get to the far machine, it's trivial to capture the keystrokes as they pass through the intermediate machine. Anyone with root access (either the admins or, if the machine has been cracked, the attacker) can easily sniff that password.
2) A public key stored on the intermediate machine is fair game for anyone with root on the box (again, legitimate or cracker). A passphraseless key is very bad juju, but even a passphrased one is vulnerable to the same keystroke logging stuff.
3) An ssh-agent-based system is the most secure, but a sneaky root user on the intermediate machine can use your proxy to get into the far machine (and anything *else* that's accessable through your ssh-agent session). It's not as bad as 1 & 2 above, because access can only be obtained while your ssh-agent session is active on the intermediate machine, but it's still Bad Stuff.
Of course, none of these problems are particular to SSH (except maybe #3; I'm not aware of too many other mainstream systems with a similar capability), but you did ask in the context of SSH in particular.
In short, in order for SSH access through an intermediary to be sensible,
you have to be very confident that (a) the legitimate admins of the machine
are trustworthy enough, and (b) that the machine has not been compromised. On the modern Internet, that's not a gamble I take lightly.
- Matt (the other one)
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
