Re: pre-connect and smtp ?

["M . Thielker" <balsa t-data com>]

Hi,

On 2001.08.20 12:43 Brian Stafford wrote:
> There is another problem with port forwarding though, nothing to do with
> ssh.
> That is port numbers are a global resource for a given host.  Once the
> host is listening on the port, any user can try to connect to that port.
> This may be undesirable.  Even if the port forwarding program accepts only
> one connection, there is still a critical race when another client
> connects
> before the one that set up the connection.  That client can then

Well, that's true only for other users on the local host. The listening port
is always bound to 127.0.0.1. This is not an option, it's hardcoded. So,
only processes on the local host can use the tunnel.
Normally it is assumed that the tunnel would be used to encrypt a session
with a remote server requiring separate authentication. Therefore, if
another user on the local host connected to that port instead of the
legitimate user, he would still have to face the login prompt of the
protocol in question. So, used as intended it's relatively safe. If the
originating host is a desktop machine, security is even greater since
desktops usually don't permit remote logins, so there is only the console
user.

> socket on the localhost though.  This still isn't as good as forwarding
> stdin/out to a remote host port, which ssh can't do either.
> 

That also has it's pitfalls because inetd will accept mutilple connections
from any host and would then forward those. With inetd, it would be even
less secure because you cannot specify an address to bind to on a
protocol-per-protocol basis. xinetd offers more security, allowing to limit
the addresses a listener is bound to and the clients that may connect.

> It seems like ssh provides an exploitable security loophole when used as a
> port forwarder!  I guess port forwarding is a Bad Thing.
> 
Not if it's used within it's design parameters. When abused, almost
everything becomes a Bad Thing.

Melanie