Le samedi 07 juin 2014 à 19:31 +0200, Till Maas a écrit : > On Sat, Jun 07, 2014 at 04:26:45PM +0100, Michael Scherer wrote: > > > Can i assume that I would be able to say "use this playbook, but instead > > of using the port 22, use port 1234" without changing the playbook ? > > > > In this case, I think this would mean that if I can create a ssh tunnel > > on the remote server ( listening to port 1234 to a server I control, > > with ssh -L 1234:servericontrol:22 ), then I can make the playbook > > played on a server I control, which in turn mean that I would > > potentially get access to files with password that I may not have access > > too. > > As long as SSH host keys are properly verified, port forwarding should > not matter, since the machine is identified by their SSH host key and > not their IP address/port. The host key checking was enabled in Fedora > Infrastructure a while ago. I do not see that in /etc/ssh/ssh_config on lockbox ( could be in ~/.ssh/config however ), nor anything in /etc/ansible/ansible.cfg ( could again be a local config somewhere else ). I didn't find anything making see a different ~/.ssh/config, nor ~/.ansible/* , so I think the default is used, which is 'ask'. And after a quick crude test, if you have ssh listening on 2 ports, ssh will treat each as a different entry in known_hosts, and so ask again. ( or at least on my laptop, I didn't dig more given the hour, will try to search a bit more ). So while I am not affirmative at 100% ( again, could be different in the precise case of ansible in Fedora infra, could be one of the 360 lines of my own ssh config, could be me being tired ), I would not exclude a possible issue with what I do see. > I hope it still is. If the attacker was > administrative access a host, then it could also be changed to forward > connections to port 22 to another host. So even without being able to > specify the port, this might be exploited. -- Michael Scherer _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
