On Sat, Jun 07, 2014 at 04:26:45PM +0100, Michael Scherer wrote: > Can i assume that I would be able to say "use this playbook, but instead > of using the port 22, use port 1234" without changing the playbook ? > > In this case, I think this would mean that if I can create a ssh tunnel > on the remote server ( listening to port 1234 to a server I control, > with ssh -L 1234:servericontrol:22 ), then I can make the playbook > played on a server I control, which in turn mean that I would > potentially get access to files with password that I may not have access > too. As long as SSH host keys are properly verified, port forwarding should not matter, since the machine is identified by their SSH host key and not their IP address/port. The host key checking was enabled in Fedora Infrastructure a while ago. I hope it still is. If the attacker was administrative access a host, then it could also be changed to forward connections to port 22 to another host. So even without being able to specify the port, this might be exploited. Regards Till _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
