From owner-freebsd-security  Wed Dec  1 14: 7:19 1999
Delivered-To: freebsd-security@freebsd.org
Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12])
	by hub.freebsd.org (Postfix) with SMTP id BD51A14F94
	for <freebsd-security@freebsd.org>; Wed,  1 Dec 1999 14:07:17 -0800 (PST)
	(envelope-from terrye@deepwell.com)
Received: (qmail 29678 invoked from network); 1 Dec 1999 22:58:29 -0000
Received: from proxy.dcomm.net (HELO terry) (209.63.175.10)
  by deepwell.com with SMTP; 1 Dec 1999 22:58:29 -0000
Message-Id: <4.2.0.58.19991201135910.014ce550@mail1.dcomm.net>
X-Sender: terrye@deepwell.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Wed, 01 Dec 1999 14:06:50 -0800
To: Paul Hart <hart@iserver.com>, freebsd-security@freebsd.org
From: Terry Ewing <terrye@deepwell.com>
Subject: Re: logging a telnet session
In-Reply-To: <Pine.BSF.4.21.9912011444500.51911-100000@anchovy.orem.iser
 ver.com>
References: <Pine.BSF.4.10.9912011538570.16289-100000@eddie.incantations.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This is probably the only way to have an external sniffer view an ssh 
session in plaintext.  This opens up a whole mess though.  We're back to 
modifying the system that has been intruded upon.  If you were checking the 
checksums of your binaries on a regular basis then you will tip your cards 
to the intruder by showing him that sshd has been modified.  I guess you 
could make a new image of the checksum and replace it trying to act like 
that has always been the checksum for the sshd binary.

As for the intruder, he'd really throw a wrench into your works by 
compiling his own sshd binary and using that on your server.  He could 
verify the checksum on a regular basis.



At 02:50 PM 12/1/99 -0700, you wrote:
>On Wed, 1 Dec 1999, Jason Hudgins wrote:
>
> > Watching the packet stream is pretty useless if the hacker is using
> > ssh however, which in my opinion, it would be pretty stupid not to.
>
>No.  Remember, you're the one calling the shots.  Go ahead and trojan your
>own sshd to leak session keys so you can decrypt the sniffed sessions, or
>even better, have it leak the cleartext before encrypting it.
>
>The original poster wanted to watch a telnet session anyway.
>
>Paul Hart
>
>--
>Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
>hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message