On Tue, Jan 21, 2020 at 11:08:51AM +1100, Damien Miller wrote:> So IMO disallowing session multiplexing is at most a speedbump that an > attacker will cross with relative ease. Speedbumps make sense sometimes,An attacker getting root on the jumphost gets immediate control of any _current_ persistent connections and new connections. Without ControlMaster it's a _lot_ harder to take control of current connections, but pretty easy to subvert new connections. So there is a benefit... but a small one.> but they must be weighed against their inconvenience.This is pretty much true of all security controls :-) -- rgds Stephen
On Mon, 20 Jan 2020, Stephen Harris wrote:> On Tue, Jan 21, 2020 at 11:08:51AM +1100, Damien Miller wrote: > > So IMO disallowing session multiplexing is at most a speedbump that an > > attacker will cross with relative ease. Speedbumps make sense sometimes, > > An attacker getting root on the jumphost gets immediate control of > any _current_ persistent connections and new connections. Without > ControlMaster it's a _lot_ harder to take control of current connections, > but pretty easy to subvert new connections.I wouldn't say it's a lot harder to take control of current connections - writing a ptrace-based tool that hijacked a running ssh client and injected a one-off implant payload via keystrokes doesn't seem like much work. -d
On Tue, Jan 21, 2020 at 12:18:52PM +1100, Damien Miller wrote:> I wouldn't say it's a lot harder to take control of current connections - > writing a ptrace-based tool that hijacked a running ssh client and > injected a one-off implant payload via keystrokes doesn't seem like > much work.* Injection of key strokes into an existing channel may be detected just because "hey, I didn't type foobar" so why is it on my screen. A new shell on a different channel won't show so obviously. * That's a lot harder than just getting a whole new shell without writing any tools; just use the existing ssh command line. Tool-less compromise is a higher risk vector 'cos it's harder for monitoring tools to detect. -- rgds Stephen