SSH reverse tunnels: can the intermediate server eavesdrop on an SSH session?



  • Suppose there are three computers: (1) my laptop, (2) a server that has a public static IP address, and (3) a Raspberry Pi behind a NAT. I connect from (1) to (3) via (2) as explained below.

    On the server (2), I add GatewayPorts yes to /etc/ssh/sshd-config, and restart the SSH daemon: sudo systemctl reload sshd.service.

    On the Raspberry Pi, I create a reverse SSH tunnel to the server:

    rpi$ ssh -R 2222:localhost:22 username-on-server@server-ip-address
    

    On my laptop, I am now able to connect to the Raspberry Pi using:

    laptop$ ssh -p 2222 username-on-pi@server-ip-address
    

    The question is: is the server able to see the data sent between my laptop and the Raspberry Pi? Can the server eavesdrop on the SSH session between my laptop and the Raspberry Pi?



  • Assuming that there is no active MITM attack going on (which can be detected by properly checking the host keys when connecting to rpi), the server sees only the SSH traffic between laptop and rpi.

    Since the payload is encrypted in SSH the server can only do some broad traffic analysis (i.e. source, destination, timing, size of data, ...) but not see or even modify the actual payload. Note though that in some cases such traffic analysis might already be valuable, see for example Timing Analysis of Keystrokes and Timing Attacks on SSH.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2