Date: Tue, 1 May 2001 17:04:50 -0400 From: Graywane <graywane@home.com> To: security@FreeBSD.ORG Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <20010501170450.A93007@home.com> In-Reply-To: <20010501162354.A282@bootp-20-219.bootp.virginia.edu>; from mipam@ibb.net on Tue, May 01, 2001 at 04:23:54PM -0400 References: <20010501231616.A40227@ldc.ro> <20010501162354.A282@bootp-20-219.bootp.virginia.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 01, 2001 at 04:23:54PM -0400, Mipam wrote: > On Tue, May 01, 2001 at 11:16:16PM +0300, Alex Popa wrote: > > The reason why this bothers me is that I sometimes use ssh to tunnel ssh > > connections (blowfish encryption in a 3DES tunnel, anyone?) > > Some ppl think that using encryption to encrypt allrdy encrypted data > is dubble secure. This is in general certainly not true. > Instead, sometimes it becomes only easier to crack it. > So i wouldnt advice to use ssh in a ssh tunnel to aviod possible > problems like that. You are missing the point. Lets say you are connecting from machine A to machine B using ssh. You setup a port forward so that connections to machine B at port 9999 are forwarded to machine A at port 22. Now you connect from machine C to port 9999 of machine B using ssh. As long as you trust ssh on machine C and sshd on machine A then encrypting the second tunnel avoids problems with the marginally trusted machine B (assuming you check your host key fingerprints). It also allows you to bind sshd on machine A to 127.0.0.1 rather than 0.0.0.0 -- Note: See http://www.members.home.net/graywane/ for PGP information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010501170450.A93007>