Dear Mailing ListWe are using a ControlMaster with a short ControlPersist to access the bastion host which then gives access to customer hosts.
Our Information Security Manager would like to disallow the ControlMaster. His attack scenario is an admin workstation with a compromised root account. An attacker can then use the ControlMaster to trivially get shell access on the bastion host without authentication when the actual admin user has an open SSH connection.
My argument is that there is too little security gain for the loss of convenience. If the attacker is root on the admin workstation, he has other means, like exchanging the SSH binary to silently drop some payload after connecting to the target or doing something similar by using the TTY file used by the shell which runs ssh (like "ECHO OFF, do your stuff, ECHO ON").
What is your opinion? Kind regards Konrad -- Konrad Bucheli Principal Systems Engineer O. +41 58 100 10 10 W. open-systems.com Open Systems
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
