Slashdot Mirror

← Back to Stories (view on slashdot.org)

Overconfidence in SSH Protection

Posted by ryuzaki0 on from the don't-be-too-proud-of-this-technological-terror dept.

nitsudima writes to mention a post on the Informit site about the common misunderstandings surrounding SSH, and how well-intentioned admins may be creating holes in their own security by using it. From the article: "In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what's the risk? Maybe the hacker can't get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the 'safe' intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls?"

8 of 194 comments (clear)

  1. Huh? What? by XanC · · Score: 4, Insightful

    I consider myself fairly competent as far as this kind of stuff goes, but I just couldn't follow that summary at all. Maybe it's just because it's so late. Can someone post a more sensible summary of an attack?

  2. All I need is root? by Anonymous Coward · · Score: 5, Insightful

    So all I need to do is to get a root access to a Linux server and I can spy normal users there? Whoah, now this is what I call news.

  3. Root by L0rdJedi · · Score: 3, Insightful

    Yep, just gotta get root. Of course, at that point, you probably have more to worry about than someone redirecting your ssh session.

  4. dont really understand the problem. by geoff+lane · · Score: 4, Insightful
    If you gain access to a system within the DMZ you've already broken in ... ssh has nothing to do with it.

    Any sysadmin who configures sshd to allow direct access to a root account is incompetent and deserves to clean up the resulting mess when they are cracked.

    So what should we worry about again?

    1. Re:dont really understand the problem. by ladadadada · · Score: 5, Insightful

      Not quite. If you have broken into the DMZ, that's all you have. Even mildly competent sysadmins know not to trust the DMZ and therefore you do not automatically have access to the rest of the network, nor do you have access to any confidential documents.

      The exploit mentioned in the article doesn't rely on ssh being configured to connect directly to root. It relies on the attacker having gained root access on the box being ssh'd to by the sysadmin. Once the sysadmin has ssh'd to the comnpromised box (as any user) the attacker can then ssh to any other box the sysadmin has configured to use agent forwarding.

      Two solutions to prevent this compromise of the rest of the network:
      1) Don't allow the DMZ box to ssh anywhere; firewall it off. There should be no need to ssh FROM the DMZ box, only TO it.

      2) Use a different public/private key pair for each box. That way, if you didn't firewall the DMZ off it would still fail on the key authentication. The drawback of this is a) the attacker can still ssh to your admin box which contains all of the private keys and b) you lose most of the advantage of agent forwarding; the ability to ssh through a chain of boxes without any but the first needing to store the private key.

      I suppose the underlying message in the article is "You REALLY can't trust anything in a DMZ that may have been compromised. ssh is a tool that can be turned against you if one of your machines is compromised."

      --
      Sig matters not. Judge me by my sig, do you?
  5. The Key is Not Transmitted by Wovel · · Score: 5, Insightful

    The key is not transmitted or sent to the socket file. This person does not understand anything about private key authentication and should return all of his certifications, and please stop posting stories by them, it is embarassing.

  6. Re:Huh? What? by Onan · · Score: 4, Insightful
    User B (evul hacker with root on box foo):
    foo# SSH_AGENT_PID=XXXX; export SSH_AGENT_PID
    foo# SSH_AUTH_SOCK=/tmp/ssh-YYYY/ZZZZ; export SSH_AUTH_SOCK
    Uh, this is hardly the only way that someone with root on the machine from which you're authenticating can obtain your credentials. Far more effective than this would be for them to simply take your private key file and grab your passphrase as you enter it; that would allow them to use these credentials forever in the future, rather than being limited to when you have an agent running on their machine.

    So... how does this even remotely approach being news? Yes, if you type your passwords into a machine on which someone else has root, you have given those passwords to them! The horror! I had no idea!

    The best thing I can say about this article summary is that it did not misrepresent the actual piece. The article itself was also muddled tripe, filled with semi-true and completely-irrelevant noise like "in unix, everything is a file..."

    It appears that the author is just a firewall admin who's offended that ssh can be used to thwart his precious acls, and invested in giving the tool a bad name.

  7. Re:Huh? What? by Matey-O · · Score: 3, Insightful
    I think part of the article is trying to say that users can enable their own ssh tunnels to home, and thus if their home network is compromised there is an easy route into the office intranet.
    But how is this not the case for ANY connection from a home network to the office...VPN opens up the same issues too.
    --
    "Draco dormiens nunquam titillandus."