[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fully transparent SSH proxy


Hello Aris,

  actually public key auth is not a concern, so I will try the ssh_messages approach.

Password and public key auth has both pros and cons, from a security point of view
also public key has some flaws, especially when authentication with the public key
happens often.

BTW I am using latest stable 0.4, but I also need the calls to be non-blocking, so I
would like to give a try to the 0.5. How is the support for non-blocking socket at the
moment?

Thanks very much, Aris

On Jun 22, 2010, at 11:43 AM, Aris Adamantiadis wrote:

> Hi Andrea,
> 
> What you suggest will be possible with the next API (in git master).
> Currently, there is no public API to hook the parsing of packets. Which
> libssh version are you using ? did you modify something ?
> 
> There are several layers on which you can do that. You could for
> instance use the channel layer (using ssh_messages) to proxy the
> messages; this has the advantages of permitting more fine-grained
> selection of the authorized functionnalities.
> 
> Of course there is something that cannot work at all: public key
> authentication. Are you using it ? Using password authentication in my
> opinion is a big way backward in the security of the systems you're
> trying to protect. I can see workarounds, let me know if you wish to
> discuss it.
> 
> Aris
> 
> Andrea Moretto a écrit :
>> Hi there!
>> 
>> I would like to implement a FULLY TRANSPARENT SSH proxy using libssh.
>> I am aware that an SSH proxy is a breach in a SSH secured system (MITM),
>> but in my environment the security (and the identification) is granted
>> by an underlying VPN.
>> 
>> By "proxy" I mean an application that has both SSH server and SSH client
>> parts. As soon a new connection is accepted from the server, a new "forwarded"
>> SSH session is opened towards the destination.
>> 
>> I have actually done most of the code, but I am not sure I am forwarding all
>> the packets to the destination. Is there a way to forward "blindly" all the
>> payload to the forwarded SSH session?
>> 
>> Thanks in advance!
>> 
>> Andrea Moretto
>> moretto.andrea@xxxxxxxxx
>> -------------------------------------------------------
>> CONFIDENTIALITY NOTICE
>> This message and its attachments are addressed solely to the persons
>> above and may contain confidential information. If you have received
>> the message in error, be informed that any use of the content hereof
>> is prohibited. Please return it immediately to the sender and delete
>> the message.
>> -------------------------------------------------------
>> 
>> 
> 
> 

Andrea Moretto
moretto.andrea@xxxxxxxxx
-------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message.
-------------------------------------------------------


References:
Fully transparent SSH proxyAndrea Moretto <moretto.andrea@xxxxxxxxx>
Re: Fully transparent SSH proxyAris Adamantiadis <aris@xxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org