[ale] star topology/ProxyCommand hops versus chained ssh [was: Out of the Nest: ending bottom SSH session]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Dec 15 22:17:15 EST 2008


On 12/11/2008 10:31 AM, John Mills wrote:

> I frequently open an SSH console from one Linux host to another, then from 
> the second to a third:
> 
>    +-------+ SSH     (SSH) +-------+ SSH +---+
>    | larry |---->[FW]----->| curly |---->|moe|
>    +-------+               +-------+     +---+
> 
> Between 'larry' and 'curly' is a firewall that forwards incoming SSH only 
> to 'curly' so I can't bypass that node.
> 
> larry: ~$ ssh curly
> curly: ~> ssh moe
> moe: / [and do some work here]
> moe: / < NOW_GET_ME_OUTA_HERE!! />

Other folks have already given some ideas which sound like they've
answered your main question.  But i want to point out that what you're
currently doing is probably not the best security practice, because
using chained ssh like this is worse than doing a "star" topology where
each session originates from the machine at which you physically sit. [0]

In general, you want an encrypted network session to only be visible to
the endpoints of that session.  In your example above, a user who has
compromised your account on curly or root at curly can now escalate that
compromise to an attack on your account on moe.

Here's how to protect against such an attack (it works best if your
account on curly uses ssh public keys, $SSH_ASKPASS, gssapi, session
multiplexing, or any other authentication method that interacts with the
user outside of the main ssh channel -- but you should probably be doing
that anyway).  Connect directly from larry:

 ssh -oProxyCommand='ssh curly nc -q0 %h 22' moe

This way, even root at curly only sees the encrypted network traffic
between you and moe.

You can make this convenient and permanent by dropping the following
stanza into larry:~/.ssh/config:

Host moe
  ProxyCommand ssh curly nc -q0 %h 22

Then all you have to do from larry is:

 ssh moe

If for some reason this doesn't work for you (or it just doesn't make
sense), please let me know -- i'd be happy to help debug it or explain
further.

hth,

	--dkg

PS it's not clear why you want to retain a session on curly after
exiting moe, and the above suggestion will *not* let you do so.
However, using SSH's session multiplexing features, it's easy to connect
to curly once and then reuse that connection via the ControlPath for
other sessions.

[0] http://lackof.org/taggart/hacking/ssh/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20081215/8e5220e2/attachment.bin 


More information about the Ale mailing list