ssh-agent too easy to hack
Tim McGarry
tim at mcgarry.ch
Tue Jan 15 11:52:26 EST 2002
> > SSH_AUTH_SOCK=/tmp/ssh-saZ24308/agent.24308?SALT=RaNdoMsTuFF447183414
> Total waste of time. Your environment variables are public information,
> Try: /usr/ucb/ps -ewwwww on Solaris if you don't believe me.
You're right, so perhaps I'll write a wrapper around ssh (for legitimate
users) to find the agent and set the env, even when the SSH_BLAH variables
aren't set.
>
> Also Since you are talking abour protecting against someone who already
> has root on the machine there is nothing what so ever you can do to help
> the situation since they can always just attach a debugger to the
> running ssh-agent and get stuff that way, or if they are really perverse
> dig around in /dev/kmem.
If they've got root acces and they are determined enough then they are going
to break the agent anyhow, I'd just like to secure it up a bit so that it's
harder to do without leaving a trace. Changing permissions on volatile files
is not easy to detect in a general way across all files on the system, thats
why I beleive ssh-agent should make this check and should be as strict about
permissions as ssh/sshd are.
> If the socket was held in an NFS directory AUTH_DH or AUTH_GSS with
> kerberos would protect against some of that attack but see above.
I'm no GSS expert, but with AUTH_DH root can access the NFS mounts anyhow,
once the credentials get into the keyserver and the mount is permitted.
Tim McGarry
>
>
> --
> Darren J Moffat
>
More information about the openssh-unix-dev
mailing list