Man in the middle on SSH Tunnel with untrusted server

I am using a linux server on the net and reverse port forwarding to connect to machines behind firewalls.

From Remote I reverse forward Port 22 to some_port on Middle
From Home I ssh into user@Middle on port some_port

Lets say I am careful to compare host keys and fingerprints of Remote and Home.

Can an attacker on Middle see my unencrypted traffic? (Well I guess that would be a no)
Can an attacker on Middle Fake the whole thing somehow and let me reveal my secrets? (keys, passphrase, stuff like that)
What it boils down to: How vulnerable is that setup?

Intuitively I would say, that there's not much they can do, since Middle does not see any unencrypted traffic, but I am still not entirely sure.

AndreasT

Posted 2011-06-05T08:48:09.070

Reputation: 669

Answers

Once the tunnel is setup, a Man-in-the-Middle attack on the data path is as difficult as breaking into the encryption -- so, you are covered there.

However, the concern about MitM during connection setup (imo) may have some weight.
To cover that, I think you should use authorized keys always (for both connection setups).

These are things you will need to confirm.

Remote to Middle tunnel is safely established on some well-known-port 'P' of Middle
using authorized key of Remote.
Home to Middle connect is established on that port 'P' using authorized key of Home
(which I expect is placed in the authorized_keys file at Remote).

When these two are confirmed, you will not complete a Home to Remote connection over this tunnel unless Remote can validate Home key.

This requires that even if the Middle is compromised, the Remote is never compromised.
^{(ps: I think I need some more thought on this -- am open to comments and will correct or roll-back answer as fit)}

nik

Posted 2011-06-05T08:48:09.070

Reputation: 50 788

yeah. My head hurts, too... these tunnel, reverse tunnel and auth things are never crystal clear to me. – AndreasT – 2011-06-05T22:51:58.067