From owner-freebsd-security Tue May 1 14: 4:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail8.sdc1.sfba.home.com (femail8.sdc1.sfba.home.com [24.0.95.88]) by hub.freebsd.org (Postfix) with ESMTP id 90D2B37B43F for ; Tue, 1 May 2001 14:04:51 -0700 (PDT) (envelope-from graywane@home.com) Received: from cg392862-a.adubn1.nj.home.com ([65.2.79.221]) by femail8.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010501210451.IUSC1607.femail8.sdc1.sfba.home.com@cg392862-a.adubn1.nj.home.com> for ; Tue, 1 May 2001 14:04:51 -0700 Received: (from graywane@localhost) by cg392862-a.adubn1.nj.home.com (8.11.3/8.11.3) id f41L4o493055 for security@FreeBSD.ORG; Tue, 1 May 2001 17:04:50 -0400 (EDT) (envelope-from graywane) Date: Tue, 1 May 2001 17:04:50 -0400 From: Graywane To: security@FreeBSD.ORG Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <20010501170450.A93007@home.com> References: <20010501231616.A40227@ldc.ro> <20010501162354.A282@bootp-20-219.bootp.virginia.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010501162354.A282@bootp-20-219.bootp.virginia.edu>; from mipam@ibb.net on Tue, May 01, 2001 at 04:23:54PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 01, 2001 at 04:23:54PM -0400, Mipam wrote: > On Tue, May 01, 2001 at 11:16:16PM +0300, Alex Popa wrote: > > The reason why this bothers me is that I sometimes use ssh to tunnel ssh > > connections (blowfish encryption in a 3DES tunnel, anyone?) > > Some ppl think that using encryption to encrypt allrdy encrypted data > is dubble secure. This is in general certainly not true. > Instead, sometimes it becomes only easier to crack it. > So i wouldnt advice to use ssh in a ssh tunnel to aviod possible > problems like that. You are missing the point. Lets say you are connecting from machine A to machine B using ssh. You setup a port forward so that connections to machine B at port 9999 are forwarded to machine A at port 22. Now you connect from machine C to port 9999 of machine B using ssh. As long as you trust ssh on machine C and sshd on machine A then encrypting the second tunnel avoids problems with the marginally trusted machine B (assuming you check your host key fingerprints). It also allows you to bind sshd on machine A to 127.0.0.1 rather than 0.0.0.0 -- Note: See http://www.members.home.net/graywane/ for PGP information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message