On Tue, May 08, 2007 at 06:20:12AM -0700, Darren Spruell wrote:
| >2. that's not the problem described. how does ssh know that its
| >connection is being NATed?
|
| Does it matter if its connection is NATed if SSH can guarantee
| end-to-end confidentiality and endpoint authentication? I don't
| understand how an intermediary NAT router serves as a MITM assuming
| server identity is verified.
You can then, being the NATting router, send out traffic through the
pf firewall abusing the authentication from the authpf user you
NATted. In fact, you only need 1 person to 'authpf' and then have the
rest of the world use your access point to use the priviliges of the
authpf'ed users when going through the firewall.
You're not MITM'ing the SSH session but the "authpf session".
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
[demime 1.01d removed an attachment of type application/pgp-signature]
