Many Ways to Misuse Your Current SSH Architecture
In this illustration, our server administrator, Jo, connected a DMZ host to an intranet-patching server so as to apply patches to the DMZ host. She was able to get around technical restrictions, but, sadly, architectural separations were lost as well. Let’s review agent forwarding risks.
Depending on the scripts, the administrator may use this capability to negotiate the connection from Box D to Box P. With this design, Box D would pass your login credentials (stored on Box A) to Box P and further automate the convoluted process. How is that done? In most cases, via a UNIX domain socket file.
In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what’s the risk?
Maybe the hacker can’t get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator’s credentials—the ones kept on the "safe" intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls? Altering some environment variables allows the intruder to attempt to access other DMZ hosts with our administrator’s private key. This can mean direct access as root or local administrator. And so this socket file becomes a door to many other systems in the DMZ.
Additionally, by setting the right booby traps, the hacker can alter the administrator’s patch-loading scripts that act against the company’s intranet-patching server. If the server administrator is root on that internal device and the private key identity is recognized as such, how many copies of ’bot software will be installed on your company’s PCs in no time?
This is but one way in which bad SSH design worsens security.