On Sun, Aug 26, 2001 at 10:11:08PM +0200, Martin F Krafft wrote: > my laptop has two net interfaces, one wired and one wireless. they > have different MAC addresses, but i configured my DHCP server to treat > them the same so that i usually have the same IP no matter what card i > use. > > i just noticed a curious bit of possible security awkwardness. with my > wired card, i established an ssh2 connection to another machine on my > subnet, then i proceeded to swap the cards - and i could continue > using my ssh2 session as soon as the new card received an IP (the same > one). now i ask you - this smells like a problem to me, or not? > shouldn't sshd at least worry about the MAC address too (can it?) just > an IP is too easy to spoof (MAC are too i guess). >
Here is how the security works on the other computer on the network: Reply packets are sent to the MAC address which the arp tables in that computers kernel says they should go to. Normally these tables are just a dynamic cache, but you can make permanent entries with arp(8). Incoming packets are not checked because on traditional non-switched Ethernet anyone can spoof MAC addresses by simply setting some option in the hardware config. On switched networks the switch hardware can sometimes by configured to prevent MAC spoofing by refusing packets coming in through the wrong cable to the switch but I don't think the Linux kernel has an option for checking incoming MACs yet. Here is how the security works on the multihomed computer. sshd aborts if the data is not "signed" with the session key originally negotiated (see the other reply on this list), but even if it did not check that (e.g. replace sshd with telnetd). sshd only accepts the data if it is coming in on the open TCP connection that you logged in on originally. The TCP layer of the kernel (on any OS) only accepts the packets as being part of that TCP connection if it has the exact same source address, source port, destination address and destination port. This is part of the TCP protocol definition. The routing layer of the Linux (we are talking the kernel now, so the proper name is Linux not GNU/Linux) only sends the packets upwards if the destination IP address belongs to this computer according to ifconfig. Also the routing layer always sends the reply packets out the interface specified as the route towards the far end. The security layer of Linux only passes the packets to the TCP layer if they are accepted by the input firewall rules on their way in (the reply must satisfy the output rules). I assume you have such rules, otherwise anything goes (see man ipfwadm for kernel 2.0.x, man ipchains for 2.2.x, man iptables for 2.4.x. There are HOWTO documents for each too). The antispoof feature of the kernel only accepts the packets if the source address is one which according to the routing tables would have its reply sent out on the interface on which the packet came in (enable this feature with # echo 2 >/proc/sys/net/ipv4/conf/eth0/rp_filter for each interface. ) So your ssh connection must have passed all of these tests and you may want to consider if each ons of these tests is configured to your liking. -- This message is hastily written, please ignore any unpleasant wordings, do not consider it a binding commitment, even if its phrasing may indicate so. Its contents may be deliberately or accidentally untrue. Trademarks and other things belong to their owners, if any.
