Re: ssh security question
On Sun, Aug 26, 2001 at 10:11:08PM +0200, Martin F Krafft wrote:
> my laptop has two net interfaces, one wired and one wireless. they
> have different MAC addresses, but i configured my DHCP server to treat
> them the same so that i usually have the same IP no matter what card i
> use.
>
> i just noticed a curious bit of possible security awkwardness. with my
> wired card, i established an ssh2 connection to another machine on my
> subnet, then i proceeded to swap the cards - and i could continue
> using my ssh2 session as soon as the new card received an IP (the same
> one). now i ask you - this smells like a problem to me, or not?
> shouldn't sshd at least worry about the MAC address too (can it?) just
> an IP is too easy to spoof (MAC are too i guess).
>
Here is how the security works on the other computer on the network:
Reply packets are sent to the MAC address which the arp tables in
that computers kernel says they should go to. Normally these tables
are just a dynamic cache, but you can make permanent entries with
arp(8).
Incoming packets are not checked because on traditional non-switched
Ethernet anyone can spoof MAC addresses by simply setting some option
in the hardware config. On switched networks the switch hardware
can sometimes by configured to prevent MAC spoofing by refusing
packets coming in through the wrong cable to the switch but I don't
think the Linux kernel has an option for checking incoming MACs yet.
Here is how the security works on the multihomed computer.
sshd aborts if the data is not "signed" with the session key
originally negotiated (see the other reply on this list), but
even if it did not check that (e.g. replace sshd with telnetd).
sshd only accepts the data if it is coming in on the open TCP
connection that you logged in on originally.
The TCP layer of the kernel (on any OS) only accepts the packets
as being part of that TCP connection if it has the exact same
source address, source port, destination address and destination
port. This is part of the TCP protocol definition.
The routing layer of the Linux (we are talking the kernel now,
so the proper name is Linux not GNU/Linux) only sends the packets
upwards if the destination IP address belongs to this computer
according to ifconfig. Also the routing layer always sends
the reply packets out the interface specified as the route
towards the far end.
The security layer of Linux only passes the packets to the TCP
layer if they are accepted by the input firewall rules on their
way in (the reply must satisfy the output rules). I assume
you have such rules, otherwise anything goes (see man ipfwadm
for kernel 2.0.x, man ipchains for 2.2.x, man iptables for
2.4.x. There are HOWTO documents for each too).
The antispoof feature of the kernel only accepts the packets if
the source address is one which according to the routing tables
would have its reply sent out on the interface on which the
packet came in (enable this feature with
# echo 2 >/proc/sys/net/ipv4/conf/eth0/rp_filter
for each interface.
)
So your ssh connection must have passed all of these tests and
you may want to consider if each ons of these tests is configured
to your liking.
--
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.
Reply to: