From owner-freebsd-security  Tue May  1 14: 4:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from femail8.sdc1.sfba.home.com (femail8.sdc1.sfba.home.com [24.0.95.88])
	by hub.freebsd.org (Postfix) with ESMTP id 90D2B37B43F
	for <security@FreeBSD.ORG>; Tue,  1 May 2001 14:04:51 -0700 (PDT)
	(envelope-from graywane@home.com)
Received: from cg392862-a.adubn1.nj.home.com ([65.2.79.221])
          by femail8.sdc1.sfba.home.com
          (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP
          id <20010501210451.IUSC1607.femail8.sdc1.sfba.home.com@cg392862-a.adubn1.nj.home.com>
          for <security@FreeBSD.ORG>; Tue, 1 May 2001 14:04:51 -0700
Received: (from graywane@localhost)
	by cg392862-a.adubn1.nj.home.com (8.11.3/8.11.3) id f41L4o493055
	for security@FreeBSD.ORG; Tue, 1 May 2001 17:04:50 -0400 (EDT)
	(envelope-from graywane)
Date: Tue, 1 May 2001 17:04:50 -0400
From: Graywane <graywane@home.com>
To: security@FreeBSD.ORG
Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports
Message-ID: <20010501170450.A93007@home.com>
References: <20010501231616.A40227@ldc.ro> <20010501162354.A282@bootp-20-219.bootp.virginia.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010501162354.A282@bootp-20-219.bootp.virginia.edu>; from mipam@ibb.net on Tue, May 01, 2001 at 04:23:54PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, May 01, 2001 at 04:23:54PM -0400, Mipam wrote:
> On Tue, May 01, 2001 at 11:16:16PM +0300, Alex Popa wrote:
> > The reason why this bothers me is that I sometimes use ssh to tunnel ssh
> > connections (blowfish encryption in a 3DES tunnel, anyone?)
> 
> Some ppl think that using encryption to encrypt allrdy encrypted data
> is dubble secure. This is in general certainly not true.
> Instead, sometimes it becomes only easier to crack it.
> So i wouldnt advice to use ssh in a ssh tunnel to aviod possible
> problems like that.

You are missing the point. Lets say you are connecting from machine A to
machine B using ssh. You setup a port forward so that connections to machine
B at port 9999 are forwarded to machine A at port 22. Now you connect from
machine C to port 9999 of machine B using ssh. As long as you trust ssh on
machine C and sshd on machine A then encrypting the second tunnel avoids
problems with the marginally trusted machine B (assuming you check your host
key fingerprints). It also allows you to bind sshd on machine A to 127.0.0.1
rather than 0.0.0.0

-- 
Note: See http://www.members.home.net/graywane/ for PGP information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message