Overconfidence in SSH Protection

nitsudima writes to mention a post on the Informit site about the common misunderstandings surrounding SSH, and how well-intentioned admins may be creating holes in their own security by using it. From the article: "In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what's the risk? Maybe the hacker can't get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the 'safe' intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls?"

Huh? What?

[XanC]

I consider myself fairly competent as far as this kind of stuff goes, but I just couldn't follow that summary at all. Maybe it's just because it's so late. Can someone post a more sensible summary of an attack?

All I need is root?

So all I need to do is to get a root access to a Linux server and I can spy normal users there? Whoah, now this is what I call news.

Root

[L0rdJedi]

Yep, just gotta get root. Of course, at that point, you probably have more to worry about than someone redirecting your ssh session.

dont really understand the problem.

[geoff+lane]

If you gain access to a system within the DMZ you've already broken in ... ssh has nothing to do with it.

Any sysadmin who configures sshd to allow direct access to a root account is incompetent and deserves to clean up the resulting mess when they are cracked.

So what should we worry about again?

Re:dont really understand the problem.

[FuryG3]

I agree completely. Remote root login is disabled by default, and system administrators should *not* enable it unless there is some damned good reason. Too often I have seen sysadmins simply enable root login, and twice now I've seen someone do key exchanges so that they can 'seemlessly' ssh as root between all of their servers.

Duh.

Re:dont really understand the problem.

[ladadadada]

Not quite. If you have broken into the DMZ, that's all you have. Even mildly competent sysadmins know not to trust the DMZ and therefore you do not automatically have access to the rest of the network, nor do you have access to any confidential documents.

The exploit mentioned in the article doesn't rely on ssh being configured to connect directly to root. It relies on the attacker having gained root access on the box being ssh'd to by the sysadmin. Once the sysadmin has ssh'd to the comnpromised box (as any user) the attacker can then ssh to any other box the sysadmin has configured to use agent forwarding.

Two solutions to prevent this compromise of the rest of the network:
1) Don't allow the DMZ box to ssh anywhere; firewall it off. There should be no need to ssh FROM the DMZ box, only TO it.

2) Use a different public/private key pair for each box. That way, if you didn't firewall the DMZ off it would still fail on the key authentication. The drawback of this is a) the attacker can still ssh to your admin box which contains all of the private keys and b) you lose most of the advantage of agent forwarding; the ability to ssh through a chain of boxes without any but the first needing to store the private key.

I suppose the underlying message in the article is "You REALLY can't trust anything in a DMZ that may have been compromised. ssh is a tool that can be turned against you if one of your machines is compromised."

The Key is Not Transmitted

[Wovel]

The key is not transmitted or sent to the socket file. This person does not understand anything about private key authentication and should return all of his certifications, and please stop posting stories by them, it is embarassing.

Re:The Key is Not Transmitted

[cortana]

Perhaps the author of the article should have read the source of the text you quoted. The preceding paragraph:

ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must be "yes" or "no". The default is "no".

So the only people who will be caught out by this are those who:

1. Blindly enable ForwardAgent without reading the security considerations mentioned in the manual.
2. Set up ssh-agent without considering how it will expose their private key.

Configuring the agent to prompt the user to confirm any signing request can be as complicated as putting the private key on a smart card (which will make the reader prompt for a PIN whenever the card recieves a signing request) or it can be as simple as using the -c option when calling ssh-add; therefore this does not seem like a big deal to me.

Not a SSH problem?

[andy753421]

Maybe I read the article wrong but it seems to me like a problem with someones design and not with SSH, a little like saying Unix is insecure because a unwitty sysadmin could try to make his life easier by using a blank root password.

Re:Huh? What?

[limegreen]

I think part of the article is trying to say that users can enable their own ssh tunnels to home, and thus if their home network is compromised there is an easy route into the office intranet.

Hopefully, a better summary...

[perlionex]

The submitter didn't summarise anything, he cut out a chunk which didn't make much sense on its own. It didn't help that the article was fairly long-winded. This is what I understand the author is trying to say:

Administrators use SSH to run scripts (from server A) to patch other servers (B, etc). These scripts are automated and make use of credentials stored in server A to gain access to the other servers (B, etc.).

If a hacker gains access to server A, he can then use the credentials to access the other servers.

As others have commented, this is kind of a "duh" moment. What's the next article?

Re:Hopefully, a better summary...

[flooey]

Administrators use SSH to run scripts (from server A) to patch other servers (B, etc). These scripts are automated and make use of credentials stored in server A to gain access to the other servers (B, etc.).

If a hacker gains access to server A, he can then use the credentials to access the other servers.

Actually, it was a little more complicated. The scenario is actually that administrators use SSH to run scripts on server A to patch server A using patches from server B. The trick is, without having credentials stored on server A, a hacker who compromised server A could still trick his way into getting server B to allow him to log in if someone was logged into server A and had agent forwarding turned on.

It's not quite as straightforward of a duh moment (after all, server A on its own can't log into server B), it's basically just saying "when you log into a server and have agent forwarding turned on, you allow anyone with root access on that server to log into anywhere your agent can log into".

Basic Stuff

[sodell]

The article illustrated one very convoluted way to break your DMZ security, but failed to make the simple statement: don't trust anyone, not even root, on your DMZ hosts. Allow SSH logins into the DMZ, and allow the DMZ to pull files from private network patching servers, such as apt repositories, but don't allow anyone to SSH from the DMZ to the intranet. Assume the DMZ is cracked wide open and keystroke logging. No one is going to get past the DMZ by watching you type 'apt-get install squid' but they will by watching you type 'ssh root@creditcarddb.int' and then the root password.

Anyone who tunnels from the DMZ to a trusted host which can execute commands on a sensitive server can't see the forest for the trees. You've learned how to use SSH and tunnel, but you're lacking some basic common sense.

Also, I don't see what good a socket catching the authentication will do ... you can packet sniff the authentication process all day long and you won't get someone's private key.

That whole article seemed a bit of voodoo itself. Many incongruous statements, like "If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the "safe" intranet."

What does that mean, exactly? You direct the authentication process to a socket file and point the process to the admin's credentials? If the socket is on the DMZ host, and the credentials are on the private network host, how can you point the authentication process to those credentials?

Maybe I'm stupid, but the article didn't seem to make a lot of sense.

Re:Basic Stuff

[flooey]

What does that mean, exactly? You direct the authentication process to a socket file and point the process to the admin's credentials? If the socket is on the DMZ host, and the credentials are on the private network host, how can you point the authentication process to those credentials?

When the admin logs into the DMZ host with agent forwarding turned on, SSH will create a socket to interact with the agent on the admin's machine. Since the wily hacker has root on the DMZ machine, he can write to and read from that socket with no problem, and thus can ask the agent to authenticate to anywhere that the agent is willing to authenticate to (what he actually would do is just set environment variables for SSH that say "I'm using agent forwarding, my agent is located at {admin's agent forwarding socket}").

Re:Huh? What?

[Riku]

Here's a summary for you:

User A on box foo:
foo> ssh-agent xterm
foo> ssh-add
  * enters their pass key *
User A can now ssh to any box that has their public key in box:$HOME/.ssh/authorized_keys

User B (evul hacker with root on box foo):
foo# SSH_AGENT_PID=XXXX; export SSH_AGENT_PID
foo# SSH_AUTH_SOCK=/tmp/ssh-YYYY/ZZZZ; export SSH_AUTH_SOCK
User B now can ssh to any box that User A can, as above.
(where XXXX, YYYY, and ZZZZ are determined by evul hacker)

AgentForwarding AS AN OPTIONAL FEATURE

[meridian]

YES Thats correct you can use AgentForwarding.... If you are stupid enough to use agent forwarding to a host you don't trust or you would consider insecure ITS YOUR OWN STUPID FAULT IF YOU GET HACKED. Now for the evil h4x0rz to use agent forwarding on the host you connect to to hack the machine you are coming in from requires quite a number of things to be done on your stupid behalf that sure wouldnt be enabled by default and you would almost need to set them up purposefully. The only real danger with agent forwarding to an insucure host is that evil h4x0rz on that host can use your forwarded authentication agent to connect to boxes that are set up to both allow connections using that ssh-key AND allow tcp connections from any box that the evil h4x0rz have access to. Aside from that it is only as insecure as establishing a telnet session to the box and having some buffer overflow occur back to the client due to poor code on the client side. I am sure not about to stop using ssh for some "simpler" protocol like telnet but I will sure keep disabling AgentForwarding and any kind of portforwarding the hosts I dont trust and I ASSUME EVERYONE ELSE WILL CONTINUE TO DO THAT AS WELL. Otherwise you might as well start posting your root passwords to slashdot which may or may not matter if you have locked your systems down correctly in the first place.

Re:AgentForwarding AS AN OPTIONAL FEATURE

[meridian]

Actually...
Rather than assume anyone^H^H^H^H^H^Heveryone on slashdot has any brains when it comes to Securing SSH let me give you some tips I/Other people have

Restricted ssh shell for scp/sftp http://sublimation.org/scponly/
Patch to lock out IPs brute forcing passwords http://ethernet.org/~brian/src/timelox/

Can add restrictions to authorized_keys file
from="hostipaddress",command="/usr/local/sbin/ssh_ command_allow_rsync",no-port-forwarding,no-X11-for warding,no-agent-forwarding,no-pty ssh-rsa AA...= backup_key

Securing sshd in /etc/ssh/sshd_config
        Protocol 2
        PermitRootLogin without-password
        PasswordAuthentication no
        ChallengeResponseAuthentication no
        ClientAliveInterval 60
        ClientAliveCountMax 30

The first line says to stop using the old, lower security ssh protocol-1.

The second line is a hedge that says never allow root logins using the unix password -- always use some other authentication.

The third line says don't allow skey authentication. It is a good idea to turn this off if you aren't using skey at this time. (Skey implements a series of non-reusable, one-time passwords. If you were using it you would know.)

The fourth and fifth lines simply make sure that any connection to a client that doesn't respond at least once each half hour gets closed. After editing the sshd file, restart sshd or reboot for the changes to take effect.

31-12-2004: new rate-limiting feature in -current. This would block hosts that exceed 10 connections per 60 seconds.
    pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \
                keep state (max-src-conn-rate 10/60, overload )
    block in on $ext_if proto tcp from to $ext_if port ssh

Also my previous post to do with limiting user connections to SSH during the scarey SSH port scanning days of not so long ago...
http://it.slashdot.org/comments.pl?sid=156058&cid= 13084357

Repeated here for your convenience:
Ways around SSH Brute forcing (Score:1)
by meridian (16189) on 11:06 AM July 17th, 2005 (#13084357)
(http://www.thief.net/)
There are esentially three ways to fix this problem.
The first is to patch sshd which is probably the least preferable way as you would need to continually keep patching with each upgrade. But this seems effective allowing you to exec a system command such as iptables.
http://ethernet.org/~brian/src/timelox/ [ethernet.org]

The second is to use iptables to limit connection attempts from an IP address. One problem with this is people who use scp alot may quickly rack up that connection limit.
Here is a recent example from the iptables mailing list
iptables -A INPUT -p tcp --dport 22 -s ! $My_Home_Firewall_IP -m state --state NEW -m recent --name SSH --set --rsource -j SSH_BF
iptables -A SSH_BF -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
iptables -A SSH_BF -j LOG --log-prefix "SSH Brute Force Attempt: "
iptables -A SSH_BF -p tcp -j DROP

The best in my opinion is a pam module found at http://www.kernel.org/pub/linux/libs/pam/modules.h tml [kernel.org] called pam_abl
This does not have the problem of the IPTables method that may mistake multiple fast scps etc as an attack attempt, and will not require coninutal repatching of the kernel such as the timelox patches.

There is a reason....

Why the developers of ssh have an option to forbid agent forwarding. Isn't it off by default? I cite from "man ssh":

>>>
                          Agent forwarding should be enabled with caution. Users with the
                          ability to bypass file permissions on the remote host (for the
                          agent's Unix-domain socket) can access the local agent through
                          the forwarded connection. An attacker cannot obtain key material
                          from the agent, however they can perform operations on the keys
                          that enable them to authenticate using the identities loaded into
                          the agent.

So wha is slashdot running an article about something where there is an explicit one-paragraph long waring in the man page of program at the option in question.

Yes, no doutbt there are a lot of idiots around, who without understanding,do things which require semantics which leads to a security leak (there is abolutely no way if you want to initiate authenticatication from processes on a machine to avoid root to do the same - as log as you are not asked on the agent's side each time before authentication;

Re:Huh? What?

[Onan]

User B (evul hacker with root on box foo):
foo# SSH_AGENT_PID=XXXX; export SSH_AGENT_PID
foo# SSH_AUTH_SOCK=/tmp/ssh-YYYY/ZZZZ; export SSH_AUTH_SOCK

Uh, this is hardly the only way that someone with root on the machine from which you're authenticating can obtain your credentials. Far more effective than this would be for them to simply take your private key file and grab your passphrase as you enter it; that would allow them to use these credentials forever in the future, rather than being limited to when you have an agent running on their machine.

So... how does this even remotely approach being news? Yes, if you type your passwords into a machine on which someone else has root, you have given those passwords to them! The horror! I had no idea!

The best thing I can say about this article summary is that it did not misrepresent the actual piece. The article itself was also muddled tripe, filled with semi-true and completely-irrelevant noise like "in unix, everything is a file..."

It appears that the author is just a firewall admin who's offended that ssh can be used to thwart his precious acls, and invested in giving the tool a bad name.

Re:Huh? What?

The article is about a common misconfiguration with regard to agent forwarding. The DMZ hosts aren't supposed to be safe, that's why they're in the DMZ and not in the intranet. The admin must assume that root on these machines is compromised. Consequently he doesn't store his private keys on any of the DMZ machines. But what many overlook, possibly because they don't use the feature, is agent forwarding. Once the admin has logged into a compromised DMZ host, access to his credentials is extended to the DMZ host by that ominous socket. The file itself never leaves the admin's computer, but if agent forwarding is enabled, root on the DMZ host can now point other hosts on the intranet to the authentication facility on the admin's computer. This misconfiguration enables the attacker to hop from the DMZ to the intranet. The correct way to avoid this is to disable agent forwarding (on the admin's computer, not just on the DMZ hosts, of course).

They haven't heard of ssh-add -c?

[biftek]

A few versions ago OpenSSH added a -c "Require confirmation to sign using identities" to ssh-add to take care of this. Or using something like SSHKeychain on OS X so it'll ask for confirmation for multi-hop auth, but not for connections direct from your trusted machine.

2004 article mentions this

[TomAnthony]

I've never needed to use ssh-agent, and during reading this I thought I'd read up on it a bit. So I google it and found an article, written in 2004, that had this to say:

So the bad news is that your agent keys are usable by the root user. The good news, however, is that they are only usable while the agent is running -- root could use your agent to authenticate to your accounts on other systems, but it doesn't provide direct access to the keys themselves. This means that the keys can't be taken off the machine and used from other locations indefinitely.

Is there any way to keep root from using your agent, even though it can subvert unix file permissions? Yes, you can. If you supply the -c option when you import your keys into the agent, then the agent will not allow them to be used without confirmation. When someone attempts to use your agent to authenticate to a server, the ssh-agent will run the ssh-askpass program. This program will pop up on your X11 desktop and ask for confirmation before proceding to use the key.

At this point you're probably going to realize that we're still fighting a losing battle. The local root account can access your X11 desktop, all your processes, you name it. If you can't trust the root user, you're in trouble.

However this will prevent root on machines to which you've forwarded the agent from accessing your agent.

Re:So...

[Dan+Ost]

No, it's not really a man in the middle attack.
It's more of a credential hijacking scenario where
the attacker waits for you to authenticate with
the compromised machine, forward your credentials
to that machine, and then the attacker uses those
credentials to reach other machines that honor those
credentials.

This would be more like you signing in, walking
away from your computer, and someone else walkup up
to the computer and doing stuff as you except that
they get to act as you while you're still acting
as you.

Did that help?

Summary to the Summary

[Zygamorph]

Don't use SSH to poke a hole in the firewall separating your DMZ from the intranet.

Re:Huh? What?

[Matey-O]

I think part of the article is trying to say that users can enable their own ssh tunnels to home, and thus if their home network is compromised there is an easy route into the office intranet.

But how is this not the case for ANY connection from a home network to the office...VPN opens up the same issues too.