recent breakins

Dave Dykstra dwd at bell-labs.com
Sat Jun 2 04:01:27 EST 2001 

On Fri, Jun 01, 2001 at 05:52:50PM +0900, Tom Holroyd wrote:
> On Fri, 1 Jun 2001, Gert Doering wrote:
> 
> > On Fri, Jun 01, 2001 at 11:24:49AM +0900, Tom Holroyd wrote:
> > > But what about multiple links?  It should be possible to forward
> > > authentication requests back to the user's keyboard.  The SRP protocol can
> > > be forwarded over any number of links, *even through a trojaned ssh*
> > > without revealing any information that a cracker can use.
> >
> > Same with agent forwarding and using RSAAuthentication.
> 
> True.  Too bad the guy wasn't using it.  Why wasn't he using it?
> 
> Perhaps OpenSSH should simply disallow password authentication?
> 
> This type of man-in-the-middle attack (trojaned ssh) is not theoretical
> anymore, and password authentication is broken.
> 
> The question is, can password authentication be (securely) forwarded?  If
> not, then we really should remove password authentication as an option.


No.  That would only make breakins a little harder but it is in no way
fundamentally more secure.  Here is Dykstra's law of computer security:

    If any host is broken into, NO MATTER WHAT AUTHENTICATION MECHANISM
    IS USED to connect from there to a second host, the second host can
    also be broken into.


In this case, since the ssh client on sourceforge was compromised, the
cracker could have inserted other commands into the command datastream,
for example commands to insert his own ~/.ssh/authorized_keys entry on the
server.  True, it's slightly harder than just saving a password but as soon
as one hole is closed someone clever will just make a script to use the
next level hole.

Here's the corollary to Dykstra's law:

    The only way to improve the security of computer systems is to insure
    that ALL hosts that are used to connect between each other are
    completely secured against break-in.


It was unwise of the Apache foundation developer to connect to another
machine through a host that he or she was not completely confident of.

- Dave Dykstra

More information about the openssh-unix-dev mailing list