Control Sockets

Notes

Benefits:

Multiplexing - Create more than one connection through an already established secure channel

Data exfiltration - Downloading through an already established secure connection

Less logging - Creates a special type of log file (socket file) that shows you are already logged in to the SSH Server. As long as that PID (window is open) stays alive, you can open as many new sessions to that server as you want because you are already pre-authenticated.

Only the first connection where the control socket was created and is the only connection that has a respective established connection and authentication log entry.

As long as each connection comes from the same source system, no further connections or authentication log entries will be generated on the remote system.

Control Sockets (config)

Two main ways to configure:

Command Line Method

ssh -M -S /tmp/s root@<ip> <-R or -L>
ssh -S /tmp/s user@<ip>
scp -o 'ControlPath=/tmp/s' user@<ip>:<Path>

Configuration File Method (~/.ssh/ssh_config)

HostName *

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

ControlPersist 10m

Manipulate SSH Config for Master Control Socket

Making SSH Control Sockets Persistent

Configure the following settings in either or both the

system-wide config ** /etc/ssh/ssh_config

per-user config ** ~/.ssh/config,

The per-user config file will take precedence over the system wide SSH client configuration file.

If you are using control sockets to specific systems, create entries for each host:

HostName host.example.org

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

ControlPersist 10m

The socket is created in the "~/.ssh/controlsmasters/" and is named user@host:port

%r - remote user name

%h - remote host name

%p - remote port

ControlMaster accepts five different values:

no (default) New sessions will not try to connect to an established master session, but additional sessions can still multiplex by connecting explicitly to an existing socket.

yes Creates a new master session each time, unless overridden. The new master session will listen for connections.

ask Creates a new master session each time, unless overridden, which listens for connections. If overridden, ssh-askpass(1) will ask the master session owner to approve or deny the request. If the request is denied, then the session being created falls back to being a regular, standalone session.

auto Creates a master session automatically but if there is a master session already available, subsequent sessions are automatically multiplexed.

autoask Automatically assumes that if a master session exists, that subsequent sessions should be multiplexed, but asks first before adding a session.

Refused connections are logged to the master session.

ControlPersist specifies whether to keep the control socket active when idle, or for how long.

The options are 'yes', 'no' or a time interval.

If a 'time interval' is given, the default is in seconds. Units can extend the time to minutes, hours, days, weeks or a combination.

If 'yes' the master connection stays in the background indefinitely.

To make SSH user control sockets for all SSH connections, a wildcard can be specified with the Host option:

Host *

ControlMaster auto

ControlPath ~/.ssh/cm_socket/%r@%h:%p

` mkdir ~/.ssh/cm_socket
PreviousSSHNextRDP

Last updated

Was this helpful?