Navindra Umanee writes: > ... ssh tunneling, ie. forwarding TCP/IP ports over an ssh connection, and the > fact that sshd was running as root on the server. > > ssh -L 1234:mailmachine:25 mailmachine sleep 100 > > (2) then connect to localhost:1234 and send mail that appears to be > coming from root@mailmachine. Indeed, this is a cute new way of forging mail and confusing the logs somewhat. MTA logging could probably be extended in various ways to detect this, if it seemed necessary. > While I realise that identd was never meant to be a proper form of > authentication, many running rshd servers still rely on it and sshd's > behavior may turn out to be rather problematic. > > For example, I don't see why one couldn't also forward rshd > connections and hack the rlogin client to connect to arbitrary ports. > One could then find an accessible machine with root in the .rhosts or > hosts.equiv -- this is not as uncommon as one would think. No matter which way you use ssh port forwarding, you will never manage to get a privileged source port, so rshd will not trust host-based authentication information. ssh -L 1234:foo:513 foo sleep 100 doesn't make the connections sshd on foo initiates to foo have a privileged source port, so foo's rlogind won't trust them ssh -R 513:foo:1234 foo sleep 100 doesn't make the connections ssh on localhost initiates to localhost have a privileged source port, so localhost's rlogind won't trust them identd's confusion over ssh tunnels is problematic just for logging purposes, but the rsh/rlogin specification does supposedly insist on privileged source ports, with which the current ssh/sshd do the right thing. In the current FreeBSD rshd, for instance, if (fromp->sin_port >= IPPORT_RESERVED || fromp->sin_port < IPPORT_RESERVED/2) { syslog(LOG_NOTICE|LOG_AUTH, "connection from %s on illegal port %u", ... An rshd which takes the shortcut of relying on identd would be exploitable, but I have never seen one. Since identd is not running on all hosts, it is really not advisable to rely on it in place of privileged/unprivileged port checking. -- Seth David Schoen L&S '01 (undeclared) / schoenat_private Magna dis immortalibus habenda est atque huic ipsi Iovi Statori, antiquissimo custodi huius urbis, gratia, quod hanc tam taetram, tam horribilem tamque infestam rei publicae pestem totiens iam effugimus. -- Cicero, in Catilinam I
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:12 PDT