{
	"id": "d82b9e2e-b2c4-4982-b738-09b94e838bd4",
	"created_at": "2026-04-06T03:37:33.115926Z",
	"updated_at": "2026-04-10T03:20:38.230507Z",
	"deleted_at": null,
	"sha1_hash": "53a2338cd203ae6ba080e7d11495011fa8abe71c",
	"title": "(Mis)trusting and (ab)using ssh",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54379,
	"plain_text": "(Mis)trusting and (ab)using ssh\r\nArchived: 2026-04-06 03:13:10 UTC\r\n1.\r\n(mis)Trusting and (ab)UsingSSH Tips and Tricks for Pentesters and Sysadmins Herman Duarte\r\n\u003chcoduarte@gmail.com\u003e Bruno Morisson \u003cmorisson@genhex.org\u003e Monday, July 2, 12 1\r\n2.\r\nAbout us Bruno Morisson Herman Duarte \u003cmorisson@genhex.org\u003e \u003chcoduarte@gmail.com\u003e\r\nhttp://genhex.org/~mori/ I do security stuff @ INTEGRITY S.A. InfoSEC addict @ INTEGRITY S.A.\r\n@morisson @hdontwit http://www.linkedin.com/in/morisson http://www.linkedin.com/in/hcoduarte\r\nMonday, July 2, 12 2\r\n3.\r\nIn the beginningof times... Telnet r* services (rlogin, rsh) Weak (or no) authentication Communication in\r\nclear Monday, July 2, 12 3\r\n4.\r\nIn the beginningof times... Sniffing Interception Hijacking Man-In-The-Middle ... Monday, July 2, 12 4\r\n5.\r\n6.\r\nSSH* features Key agreement (DH) Encrypted communications (C\u0026I from CIA) Multiple authentication\r\noptions (password, public keys, kerberos, etc...) Channel Multiplexing Port Forwarding VPN ...and so\r\nmuch more! * for this talk SSH==SSHv2 Monday, July 2, 12 6\r\n7.\r\n8.\r\nSSH 101- TheBasics Session Multiplexing, TCP forwarding, Connection socket forwarding, sftp\r\nsubsystem, etc SSH User Auth User Authentication (password, Pubkey, etc) Key Agreement (DH), Host\r\nauth, Integrity, Transport Encryption, Re-Keying TCP IP Monday, July 2, 12 8\r\n9.\r\nSSH 101- TheBasics Encrypted Channel Setup User Authentication Client Connection Server Monday,\r\nJuly 2, 12 9\r\n10.\r\nhttps://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219\r\nPage 1 of 4\n\nSSH 101- TheBasics User authentication methods: GSSAPI Host-Based Public Key Challenge-Response\r\nPassword Monday, July 2, 12 10\r\n11.\r\nPassword Authentication Encrypted Channel Setup Client Server username, use password OK Password\r\nAuth Ok / NOk passwd ssh sshd file Monday, July 2, 12 11\r\n12.\r\nIf the serveris compromised... sshd binary is changed with one that logs passwords keylogger is installed\r\non the server ..the password is compromised! Monday, July 2, 12 12\r\n13.\r\nPublicKey Authentication Encrypted Channel Setup Client Server username, use publickey OK Signature\r\nAuth Ok / NOk authorized id_dsa ssh sshd _keys Monday, July 2, 12 13\r\n14.\r\n15.\r\nWhat if Ihave a lot of keys, or login a lot ?? Monday, July 2, 12 15\r\n16.\r\nSSH Agent Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk\r\nAgent ssh sshd authorized id_dsa _keys Monday, July 2, 12 16\r\n17.\r\nWhat if ISSH into other servers ?? Monday, July 2, 12 17\r\n18.\r\nSSH Agent Forwarding No need to copy private key to other servers Key is kept on the original source host\r\nAgent is forwarded, using a tunnel Passwordless! Monday, July 2, 12 18\r\n19.\r\nSSH Agent Forwarding Client Transport Server #1 Transport Server #2 Connection Connection Interactive\r\nShell Agent Forwarding Interactive Shell Agent ssh sshd ssh sshd authorized authorized id_dsa _keys\r\n_keys Monday, July 2, 12 19\r\n20.\r\nControl Master Connection multiplexing allows for multiple sessions on one connection It’s fast No need\r\nfor extra authentication Monday, July 2, 12 20\r\n21.\r\nhttps://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219\r\nPage 2 of 4\n\n22.\r\nCaveat Emptor(s) You must trust the server(s) What if the server was compromised ? Can SSH Agent be\r\nabused ? Can Control Master be abused ? Monday, July 2, 12 22\r\n23.\r\n24.\r\nHelp us ObiWan You’re our only hope! Monday, July 2, 12 24\r\n25.\r\nFreak on aLeash When adding keys to ssh-agent use ssh-add with: -t \u003csecs\u003e to set a maximum lifetime on\r\nthe identities being added to the agent -c to indicate that identities being added should be subject to\r\nconfirmation before being used for auth Monday, July 2, 12 25\r\n26.\r\nFreak on aLeash ssh-agent queries /usr/libexec/ssh-askpass for confirmation “ssh-add -c -t 3600 \u003c\r\n/dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase Monday, July 2, 12 26\r\n27.\r\n28.\r\nBut we stillneed passwords! If you su / sudo, you still type your password... What if we could use the SSH\r\nAgent for sudo ? Yes we can! :) Monday, July 2, 12 28\r\n29.\r\n30.\r\n31.\r\n32.\r\nUsing SSH w/ousing SSH (but still using SSH) ssh -W trusted:22 untrusted Open socket to trusted Server...\r\n...through an untrusted Server Monday, July 2, 12 32\r\n33.\r\nUsing SSH w/ousing SSH (but still using SSH) Connect to the socket created ssh -o “ProxyCommand ssh -\r\na -W trusted:22 untrusted” trusted Disable Agent Forwarding Open Socket to trusted via untrusted Just for\r\nuser and key validation Monday, July 2, 12 33\r\n34.\r\nUsing SSH w/ousing SSH (but still using SSH) Client Transport Untrusted Owned Trusted Connection -W\r\n(Open Socket to Server #2) Transport Connection Interactive Shell Agent ssh sshd sshd authorized\r\nauthorized id_dsa _keys _keys Monday, July 2, 12 34\r\n35.\r\nhttps://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219\r\nPage 3 of 4\n\n36.\r\nControl your SSH .ssh/config Host trusted1 trusted2 trusted3 ForwardAgent yes ProxyCommand ssh -a -W\r\n%h:22 untrusted.server.com Host * ControlMaster no ForwardAgent no PasswordAuthentication no\r\nHashKnownHosts yes Monday, July 2, 12 36\r\n37.\r\n38.\r\nReferences RTFM :) RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,56 56\r\nhttp://www.linuxjournal.com/article/9566 http://pamsshagentauth.sourceforge.net/\r\nhttp://www.jedi.be/blog/2010/08/27/ssh-tricks-the- usual-and-beyond/ Monday, July 2, 12 38\r\nSource: https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219\r\nhttps://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219"
	],
	"report_names": [
		"mistrusting-and-abusing-ssh-13526219"
	],
	"threat_actors": [],
	"ts_created_at": 1775446653,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53a2338cd203ae6ba080e7d11495011fa8abe71c.pdf",
		"text": "https://archive.orkl.eu/53a2338cd203ae6ba080e7d11495011fa8abe71c.txt",
		"img": "https://archive.orkl.eu/53a2338cd203ae6ba080e7d11495011fa8abe71c.jpg"
	}
}