ssh-agent too easy to hack
Darren J Moffat
Darren.Moffat at Sun.COM
Tue Jan 15 11:26:01 EST 2002
On 01/14/02 16:09, Tim McGarry wrote:
> Why can't the ssh-agent, put an extra secret in the environment?
>
> SSH_AUTH_SOCK=/tmp/ssh-saZ24308/agent.24308?SALT=RaNdoMsTuFF447183414
Total waste of time. Your environment variables are public information,
Try: /usr/ucb/ps -ewwwww on Solaris if you don't believe me.
Also Since you are talking abour protecting against someone who already
has root on the machine there is nothing what so ever you can do to help
the situation since they can always just attach a debugger to the
running ssh-agent and get stuff that way, or if they are really perverse
dig around in /dev/kmem.
The only thing that is going to help against root is using a system that
doesn't have root - ie one with finegrained privileges and mandatory
access control (eg. Trusted Solaris).
> 2/ I also think it should have a timeout too, perhaps dumping all keys if
> the agent is unused for more than 30 mins.
> directories/sockets used by the agent? (yes I realize that anyone whose sued
> to root, can easily su to be me)
If the socket was held in an NFS directory AUTH_DH or AUTH_GSS with
kerberos would protect against some of that attack but see above.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list