4
1
For example, there are 2 computers, A and B. Computer A is a SSH server. Computer B opens and SSH connection/tunnel to computer A. Is it possible to, from Computer A, use the SSH connection/tunnel to access computer B from computer A? Also, how can you disconnect computer B from the SSH without turning off server?
S.H.
Posted 2010-10-22T01:14:10.540
Reputation: 41
4
The basic answer is no: the user on the client computer (B) can run commands on the server computer (A) (therefore the administrator on the client can run commands on the server), but the administrator on the server can only influence what the user is doing on the client.
However this does not mean that the client computer is fully protected from the server administrator. A malicious server administrator could insert some attack code in an executable file that the user will copy to the client computer and execute there.
Furthermore, if the user has opened a tunnel in addition to the ssh connection, this may provide another attack vector. For example, X11 tunnels can pretty much allow the server administrator to remotely control X11 applications running locally on the client machine (e.g. by injecting key presses or clipboard data). Openssh provides some protection (see the descriptions of -X, -Y and ForwardX11Trusted in the Openssh client manual) through the X11 SECURITY extension, but these controls do not provide absolute protection (X11 was not designed with application isolation in mind, so you can't really have security without sacrificing functionality).
Gilles 'SO- stop being evil'
Posted 2010-10-22T01:14:10.540
Reputation: 58 319
while true ; do xset -display $REMOTE_DISPLAY s activate ; sleep 1 ; xset -display $REMOTE_DISPLAY dpms force standby ; sleep 2 ; done And yes, I have done that before. – Ignacio Vazquez-Abrams – 2010-10-25T02:44:49.723
"a malicious server administrator could insert some attack code in an executable file that the user will copy to the client computer and execute there" - this means that the only real vulnerability is if a client copies a file from the server to their local computer and executes it without checking what it is first? – Naftuli Kay – 2011-07-15T23:00:28.597
1@TKKocheran That's one obvious vector of attack. If you don't trust the server administrator, don't trust any file you've stored on the server, and don't trust that any command you run on the server has its intended effect. – Gilles 'SO- stop being evil' – 2011-07-15T23:22:14.283
2
Only if they've opened up a remote tunnel with it. And even then you can only connect to what it's connected to on their side.
sshd spawns an instance per connection. Simply kill the one they've connected to.
Ignacio Vazquez-Abrams
Posted 2010-10-22T01:14:10.540
Reputation: 100 516
How would you go about accessing them if they've tunneled in? – S.H. – 2010-10-22T01:20:14.630
1First use something like nc connected to your end of the tunnel to see what they're showing. If you find something useful, use the appropriate client for that service. – Ignacio Vazquez-Abrams – 2010-10-22T01:21:44.937
3Only in the movies and on TV. – Lawrence Dol – 2010-10-22T01:43:39.807
1
See also this similar question at Unix Stack Exchange.
– Gilles 'SO- stop being evil' – 2011-04-14T18:54:25.550