[svlug] Configuring Server - SSH Trouble + Security Considerations

Rick Moen rick at linuxmafia.com
Thu Oct 26 17:51:45 PDT 2006


Quoting Don Marti (dmarti at zgp.org):

> Is there a way for you, the administrator of the
> server, to tell ssh hopping, like this:
> 
>   ssh -At lron.example.edu ssh xenu.linuxmafia.com
> 
> from risky private key copying?

Sorry, I really don't.

Please note, as well, that using globally unique (across systems) access
tokens -- either passwords or keypairs -- in no way defeats the
token-stealing routine I described.  Not at all.  This is a problem
because I'm _reasonably_ certain it's now the standard method among 
script-kiddies.

Basically, it's an inevitably consequence of the fact that an SSH tunnel
is only as trustable as both endpoints' security plus that of the tunnel
itself.  If you distrust one of the endpoints, the best you can do is
either (1) never expose tokens there (but rather only at the other end),
(2) S/Key or OPIE OTP authetication, or (3) a SecureID fob or equivalent.

-- 
Cheers,                 "Heedless of grammar, they all cried 'It's him!'"
Rick Moen                       -- R.H. Barham, _Misadventure at Margate_
rick at linuxmafia.com




More information about the svlug mailing list