Date: Wed, 5 Jul 2000 08:07:24 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Chris <kingsqueak@home.com> Cc: freebsd-questions@freebsd.org Subject: Re: TCP/IP forwarding in SSH2 - testing? Message-ID: <Pine.BSF.4.21.0007050751280.22226-100000@ren.sasknow.com> In-Reply-To: <20000705085049.C7940@kingsqueak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris wrote to Ryan Thompson:
> To be honest with you what I suspect you are seeing by running tcpdump
> locally is free text transmission that is in fact viewable on your local
> machine. With port redirection I'm not sure that is avoidable.
>
> What you will verify with my hub suggestion is that *all* traffic
> external to your machine in relation to that connect will be encrypted.
Yup.. However, I put another system on the same Ethernet segment and
started analysing packets:
.---------------. .--------.
| remote client | ---- Internet ---- | router |
`---------------' `--------'
_______|_______ 100Mbps Ethernet
| |
.---------. .------------------.
| monitor | | ssh/telnetd host |
`---------' `------------------'
So, from the "monitor" system, I sniff packets.
On port 22, I see encrypted text transmitted to and fro when the remote
client types text or receives information. To me that is a Good Sign.
However, Even on the monitor system, I still see clear text transmissions
on the high-numbered port used for forwarding, AND the telnet port. (The
remote client did in fact telnet to the ssh/telnet host on the
high-numbered forwarded port--see my example previously in this thread)
So, the fact that encrypted data is being transmitted over port 22 in
perfect time with the client typing commands/receiving output gives me
encouragement.
The fact that the resultant data is available in the clear to other
systems on the receiving LAN is discouraging ;-) Is it possible or likely
that the ssh server is, for some reason, injecting the decrypted data
packets back onto the Ethernet, despite the fact that all packets have a
destination (or source) of the ssh server only?
> IOW, the redirected traffic will remain in clear text to anyone with
> priveledges to activate sniffing on your local server, however enroute
> it will be encrypted.
I've had the same thoughts. I suppose the next step is throwing another
gateway on another subnet between the two hosts and monitoring from there.
(Truly man-in-the-middle monitoring).
- Ryan
--
Ryan Thompson <ryan@sasknow.com>
Systems Administrator, Accounts
Phone: +1 (306) 664-1161
SaskNow Technologies http://www.sasknow.com
#106-380 3120 8th St E Saskatoon, SK S7H 0W2
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007050751280.22226-100000>