Slashdot Mirror
Overconfidence in SSH Protection
nitsudima writes to mention a post on the Informit site about the common misunderstandings surrounding SSH, and how well-intentioned admins may be creating holes in their own security by using it. From the article: "In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what's the risk? Maybe the hacker can't get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the 'safe' intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls?"
I consider myself fairly competent as far as this kind of stuff goes, but I just couldn't follow that summary at all. Maybe it's just because it's so late. Can someone post a more sensible summary of an attack?
So all I need to do is to get a root access to a Linux server and I can spy normal users there? Whoah, now this is what I call news.
Yep, just gotta get root. Of course, at that point, you probably have more to worry about than someone redirecting your ssh session.
Any sysadmin who configures sshd to allow direct access to a root account is incompetent and deserves to clean up the resulting mess when they are cracked.
So what should we worry about again?
So you are calling the OpenBSD guys incompetent? After all, if you enable SSH in the default installation, you can SSH into that machine including as root.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
The key is not transmitted or sent to the socket file. This person does not understand anything about private key authentication and should return all of his certifications, and please stop posting stories by them, it is embarassing.
Maybe I read the article wrong but it seems to me like a problem with someones design and not with SSH, a little like saying Unix is insecure because a unwitty sysadmin could try to make his life easier by using a blank root password.
I think part of the article is trying to say that users can enable their own ssh tunnels to home, and thus if their home network is compromised there is an easy route into the office intranet.
The submitter didn't summarise anything, he cut out a chunk which didn't make much sense on its own. It didn't help that the article was fairly long-winded. This is what I understand the author is trying to say:
As others have commented, this is kind of a "duh" moment. What's the next article?Gan Family Homepage
The article illustrated one very convoluted way to break your DMZ security, but failed to make the simple statement: don't trust anyone, not even root, on your DMZ hosts. Allow SSH logins into the DMZ, and allow the DMZ to pull files from private network patching servers, such as apt repositories, but don't allow anyone to SSH from the DMZ to the intranet. Assume the DMZ is cracked wide open and keystroke logging. No one is going to get past the DMZ by watching you type 'apt-get install squid' but they will by watching you type 'ssh root@creditcarddb.int' and then the root password.
... you can packet sniff the authentication process all day long and you won't get someone's private key.
Anyone who tunnels from the DMZ to a trusted host which can execute commands on a sensitive server can't see the forest for the trees. You've learned how to use SSH and tunnel, but you're lacking some basic common sense.
Also, I don't see what good a socket catching the authentication will do
That whole article seemed a bit of voodoo itself. Many incongruous statements, like "If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the "safe" intranet."
What does that mean, exactly? You direct the authentication process to a socket file and point the process to the admin's credentials? If the socket is on the DMZ host, and the credentials are on the private network host, how can you point the authentication process to those credentials?
Maybe I'm stupid, but the article didn't seem to make a lot of sense.
Here's a summary for you:
User A on box foo:
foo> ssh-agent xterm
foo> ssh-add
* enters their pass key *
User A can now ssh to any box that has their public key in box:$HOME/.ssh/authorized_keys
User B (evul hacker with root on box foo):
foo# SSH_AGENT_PID=XXXX; export SSH_AGENT_PID
foo# SSH_AUTH_SOCK=/tmp/ssh-YYYY/ZZZZ; export SSH_AUTH_SOCK
User B now can ssh to any box that User A can, as above.
(where XXXX, YYYY, and ZZZZ are determined by evul hacker)
It's not just you. I had to re-read it several times.
I think the main point (the one the article submitter picked up on) was that if an attacker can compromise your DMZ box (the most vulnerable box your company owns and hence the least trusted box your company owns) that has no private ssh keys stored on it and can't connect to any other trusted box but does have trusted boxes connecting to it, then he can use that to compromise further trusted boxes inside the organisation.
To put it another way, if you ssh to an attacker's machine using agent forwarding he can probably ssh back to yours.
Sig matters not. Judge me by my sig, do you?
YES Thats correct you can use AgentForwarding.... If you are stupid enough to use agent forwarding to a host you don't trust or you would consider insecure ITS YOUR OWN STUPID FAULT IF YOU GET HACKED. Now for the evil h4x0rz to use agent forwarding on the host you connect to to hack the machine you are coming in from requires quite a number of things to be done on your stupid behalf that sure wouldnt be enabled by default and you would almost need to set them up purposefully. The only real danger with agent forwarding to an insucure host is that evil h4x0rz on that host can use your forwarded authentication agent to connect to boxes that are set up to both allow connections using that ssh-key AND allow tcp connections from any box that the evil h4x0rz have access to. Aside from that it is only as insecure as establishing a telnet session to the box and having some buffer overflow occur back to the client due to poor code on the client side. I am sure not about to stop using ssh for some "simpler" protocol like telnet but I will sure keep disabling AgentForwarding and any kind of portforwarding the hosts I dont trust and I ASSUME EVERYONE ELSE WILL CONTINUE TO DO THAT AS WELL. Otherwise you might as well start posting your root passwords to slashdot which may or may not matter if you have locked your systems down correctly in the first place.
meridian at tha.net
Why the developers of ssh have an option to forbid agent forwarding. Isn't it off by default? I cite from "man ssh":
>>>
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.
So wha is slashdot running an article about something where there is an explicit one-paragraph long waring in the man page of program at the option in question.
Yes, no doutbt there are a lot of idiots around, who without understanding,do things which require semantics which leads to a security leak (there is abolutely no way if you want to initiate authenticatication from processes on a machine to avoid root to do the same - as log as you are not asked on the agent's side each time before authentication;
Personnaly, I never understood how talented SSH developers came to the conclusion that they needed to invent such a crappy thing : ssh-agent. And I've seen people use it, the same people who put their private keys on USB sticks to ensure that nobody will steal them, but who are not afraid of collegues having root access on their machine ...
ssh-agent is a solution to grant any process on the system full access to a means of authenticating through your private key. No comment ! There's nothing difficult in typing
a passphrase each time you connect to a remote site !
--
willy
high performance free load balancing solution - http://w.ods.org/haproxy/
So... how does this even remotely approach being news? Yes, if you type your passwords into a machine on which someone else has root, you have given those passwords to them! The horror! I had no idea!
The best thing I can say about this article summary is that it did not misrepresent the actual piece. The article itself was also muddled tripe, filled with semi-true and completely-irrelevant noise like "in unix, everything is a file..."
It appears that the author is just a firewall admin who's offended that ssh can be used to thwart his precious acls, and invested in giving the tool a bad name.
If someone gets root on one of your boxes, all bets are off as there's a very good chance that they'll get root on another one of them (by keylogging passwords, brute forcing the password on a sudo enabled account, passwordless ssh keys, hijacking a session etc etc)
Wash, rinse, repeat.
Before you know it your whole DMZ is rooted (in more than one sense).
In short:
- If you find a compromised box on your network, assume there's more than one and order pizza... you're in for a long night.
- Segregate your networks so if someone, say, gets at your DMZ there's no way to get into your internal or other production network i.e. no ssh or accessible services on your firewall machines on the DMZ interfaces.
i.e. It's not just an issue with ssh.
The article is about a common misconfiguration with regard to agent forwarding. The DMZ hosts aren't supposed to be safe, that's why they're in the DMZ and not in the intranet. The admin must assume that root on these machines is compromised. Consequently he doesn't store his private keys on any of the DMZ machines. But what many overlook, possibly because they don't use the feature, is agent forwarding. Once the admin has logged into a compromised DMZ host, access to his credentials is extended to the DMZ host by that ominous socket. The file itself never leaves the admin's computer, but if agent forwarding is enabled, root on the DMZ host can now point other hosts on the intranet to the authentication facility on the admin's computer. This misconfiguration enables the attacker to hop from the DMZ to the intranet. The correct way to avoid this is to disable agent forwarding (on the admin's computer, not just on the DMZ hosts, of course).
A few versions ago OpenSSH added a -c "Require confirmation to sign using identities" to ssh-add to take care of this. Or using something like SSHKeychain on OS X so it'll ask for confirmation for multi-hop auth, but not for connections direct from your trusted machine.
Anyone with the time and resources is going to find a way into your network. Many times security does not have to be bullet proof. Don't have to be faster than the bear, just faster than the large majority of other networks. Unless there's something really compelling on your system, they're likely to pick an easier target.
I use my home network as an example. I have one copy of XP on my system. What I consider the weak link in the security chain. It's on a NAT'd segment, I don't surf the internet with it and anything sensitive is on a TrueCrypt partition that I only mount when needed. Hardly bullet proof but not bad for Windows.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Tom Anthony
No, it's not really a man in the middle attack.
It's more of a credential hijacking scenario where
the attacker waits for you to authenticate with
the compromised machine, forward your credentials
to that machine, and then the attacker uses those
credentials to reach other machines that honor those
credentials.
This would be more like you signing in, walking
away from your computer, and someone else walkup up
to the computer and doing stuff as you except that
they get to act as you while you're still acting
as you.
Did that help?
*sigh* back to work...
Don't use SSH to poke a hole in the firewall separating your DMZ from the intranet.
"Draco dormiens nunquam titillandus."
Sorry, doesn't work.
I'm an 3v1l h4x0r in complete control of untrusted host X. Some poor fool uses SSH to connect to the trusted, firewalled host Haven. At this point, since I'm in complete control of X, I can simply send commands from X to Haven, doing anything the user could - including launching an SSH or telnet client from Haven's command line. What ? Haven doesn't have them ? Then I simply send one, piping encoded data to uudecode, or perhaps a mail client (to send the file to the users own account - if it's machine-local delivery, it propably won't go through the companys mail server and won't be stripped for binaries), or maybe simply through some insane sed script to turn hexcodes back to binary format - but one way or another, I'll get the telnet client to Haven.
Well, now I have telnet in Haven, and can connect to any service running at Haven, with the connection seemingly originating from Haven itself. And of course I can connect to other intranet machines as well. Or I could use some kind of hex-to-bin proxy telnet-like program, and another one on X, to emulate agent forwarding.
The point is that as long as there is a connectiong between X and Haven, and Haven gives the user a command line interface, it is impossible to prevent the user from forwarding arbitrary connections over it. Or at least simply preventing SSHs native support for that won't stop it from happening.
The lesson: any machine that gives shell access to untrusted machines is untrusted.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Okay, so let me just get this straight. Executive summary, "moral of the story," whatever, is...
Don't use agent forwarding when connecting to an untrusted box?
Can you just mandate that as a policy or are there times when you absolutely have to use agent forwarding via an untrusted/DMZed machine? I don't think I've ever used a DMZ machine for agent forwarding, but then again it's not really a feature I've used very heavily.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I think you have it backwards. The author's concern about people tunnelling from home isn't that a compromised work machine will take-over the remote worker's home machine. He's a firewall admin and could care less about your home machine's health, in and of itself. What he is concerned about is the fact that your previously compromised home box can tunnel right through all of that hard work he's done trying to build a secure firewall and have IP access to attack the internal network's soft underbelly. SSH, IPSEC and other tunnelling solutions are putting untrustworthy machines directly inside the firewall.
A more secure way would be to only allow non-port forwarded, remote desktop-style connections to a single cluster of terminal server machines. This would prevent direct remote attacks from the home machine against anything other than the terminal server on the terminal server ports. A compromised home machine could still allow someone to tunnel and login to the terminal server as you via remote control, but at least you have limited the attacker's access to a machine that you control and that isn't compromised. While your credentials would be compromised (via the keylogger/session shadower the attacher installed on your home machine), the attacker would only be able to do what you could do on the terminal server. You would be screwed when they detect "you" attempting to compromise internal security or sneaking out sensitive information, but the network would be much safer.
Alternately, if you don't have a terminal server-style (RDP, Citrix, LTSP, etc.) environment set up, you could have the tunnel gateway only allow RDP/Citrix/X access to the user's work desktop with similar security attributes.
"It appears that the author is just a firewall admin who's offended that ssh can be used to thwart his precious acls, and invested in giving the tool a bad name."
/. stories that started like, "We're setting up a company and would like to know how you would do xyz with "linux" vs Windows, how long you've been using "linux", how you got approval for it, and how long you have successfully maintained security with the limited headcount you have..." that (if you are cynical) sound like big-company-paid-for pieces meant to flush out Unix/Linux-leaning companies that "ought" to be on ms/windows-related stuff.
/. would agree to a reader-demanded aversion to corporate-paid slipstream submissions... (opps, a ladder and mop bucket are being hurled my way...(instead of conference room executive chairs)...)
Remember the
Just from the "in unix, everything is a file...." I started seeing big money funding this article. I could be wrong, though...
I wonder if
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
If a bad guy has the ability to bypass local file permissions (whether because he's root or because you screwed up the permissions) then he can steal your credentials by putting a backdoor in the SSH client, the SSH server, the terminal driver, the file system, shared libraries (glibc, for example, is so huge and complex you could hide a trapdoor, magic hat, rabbit, three cages of pigeons, and a performing elephant there and nobody would notice).
/usr/bin before you run ssh?
I've cleaned up boxes that had been rootkitted, and if you can't identify when it happened so you can restore from a known good backup you're best off reinstalling from scratch.
The same thing is true, to a lesser extent, for local user privileges. Do you check that $PATH doesn't go through ~/bin before
Once someone can run unsandboxed code on your computer you're compromised, and any tool you use to examine your computer may be compromised, and ssh-agent make so little difference that it's simply not worth worrying about.
Being as filled with tripe as you claim, I might have thought I wrote simply enough for you to understand. I guess not? Under agent forwarding, the first hop device doesn't have the private key. You might review the documents on OpenSSH to understand ssh better. In there, you will find big precautions against agent forwarding in an environment that has high potential for compromise. Would you mind posting these enlightening comments of yours on the actual Informit site?
No, not at all. When you consider the forwarding abilities of both the ssh client and server implementations, it is possible to build what looks to be an insider-initiated tunnel to the outside. Safe, right? Instead, the tunnel is used to force the traffic from the remote server back into the tunnel, and from there, throughout the intranet, including RFC 1918/3330 addresses normally unreachable from the Internet. Let me know if some kind of video file would help explain a very difficult topic in ssh. Many organizations are swapping out telnet/ftp for ssh. That part's great. It's the uncontrollable forwarding abilities that seem the biggest challenge.
-A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
So what's the news?
Excellent! I'll reconstruct my test environment and make something good happen... jt