Detecting forwarded agent connections

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I know this is pretty left-field, but I'm working on a custom ssh-agent implementation and looking at ways to detect forwarded agent connections, with the hope to have a "confirm" mode which can apply just to those (or those, plus non-whitelisted local processes).

I realise this has been discussed a bit before, but I have thought up a method which seems to be working in my tests so far (which isn't one I've seen discussed really?), and wanted to ask if anyone can see an obvious problem with it.

The SSH client makes multiple connections to the agent's UNIX socket when it's forwarding -- the first one seems to always be for the client itself (even with public key auth disabled), and then subsequent connections are made 1:1 with remote client connections that are being forwarded.

My agent implementation already knows how to look up the PID of the connected process (via SO_PEERCRED, getpeerucred, etc) and find its executable name and basic info (via procfs, kvm_getprocs etc) on the handful of OS that I care about, so this is what I'm thinking of doing:

1. Track connections per process by pid + process start time (so if the PID is re-used, the start time should be different and we'll treat it as new) 2. If the calling process' exec binary path ends with "ssh" and this connection is NOT the first connection from that process, then prompt for confirmation.
 3. Otherwise, allow it.

Obviously this won't work if somebody renames the "ssh" binary -- but the threat I'm trying to mitigate here is somebody forwarding from a trusted local machine to a remote machine which they conditionally trust (e.g. trust it in the absence of exploits), and there's not an easy way that I know of to rename the local ssh binary from the remote machine.

Am I crazy?

Thanks for your time reading, as always.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux