27

I use ssh a lot to connect to a variety of servers at my university. The machines are administrated by students, so assume they can't really be trusted;-)

What are the risks in making a ssh connection to a host I have no control over? What information can be gained about an ssh client from the server side? Is there a chance they can open a shell from the server on my client machine?

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
bud
  • 271
  • 3
  • 3

2 Answers2

18

There is another big risk: SSH agent forwarding. If you use agent forarding, anyone who is root at the server you SSH into, can use your ssh private key to establish new connections. See http://unixwiz.net/techtips/ssh-agent-forwarding.html for more info on agent forwarding.

chris
  • 3,000
  • 14
  • 22
  • 1
    Thanks, I didn't know that. Does that mean I am safe when I do ssh -a -x, unless ssh has a bug? – bud Sep 24 '11 at 19:26
  • I just realised, there's much more. Perhaps someone on the server has set a force-command for you to run (they'd need access to your account for that). SSH has a controlchannel you can use to setup forwarding etc while connection is active - perhaps the server could do that as well... Again, someone would already have access to your account (or root) for that. – chris Sep 25 '11 at 07:29
  • 2
    @chris, I don't understand. Can you elaborate on the force-command and the controlchannel risks you see, how they work, and what the impact is? – D.W. Sep 26 '11 at 02:14
12

SSH does not allow to open a shell on the client from the remote server. It does support reversed port forwarding, but that is initiated on the client side via -R or a ~-command.

The main risk is X11 forwarding. If your SSH client is configured to allow programs on the server to render gui windows on your screen, there is an issue. Even untrusted X11 programs can cause a lot of damage. So it is best to use -x (important: small x) on the command line or ForwardX11 no in the ssh_config file.

-X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.

For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default.

-x Disables X11 forwarding.

-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

Source: man ssh

Community
  • 1
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121