vulnerability with ssh-agent
Rob McCauley
robmccau at radonc.duke.edu
Sun Jul 18 03:10:40 EST 2004
> > I'm being redundant now, but you can not protect regular user resources
> > from root priviledge. If someone gets root in your system, game over,
> > do restore and/or reinstall.
>
> Yes, so much I understand. For the system that has been broken into.
> But that is not my concern. I am trying to prevent that the damage
> spreads to *other* systems, not yet intruded.
With all due respect, no you don't. Remote system is compromised. The
intruder is, for all intents and purposes, any user account on the system
or all of them. With a little patience, the remote intruder WILL get into
your system if you permit logins from that compromised system. You simply
can't expect a compromised system to protect you.
All this talk about playing around with the kernel is all nice and
good--where you have access to the kernel code. That's quite often not
the case.
I'm sorry, but if you *really* need this functionality, I think the
closest you're going to get is one time passwords, and even they can be
intercepted by root on the remote system. The intruder logs in via the
captured password, the real user gets a failure message and things "Oops,
I fat fingered my password." tries with the next one time password and
gets in, none the wiser that YOUR box has just been compromised. Audit
and investigate ANY time a one time password use fails, perhaps.
I truly think that part of your answer lies in policy. If you need
this level of security, you simply don't allow passwordless logins from
anywhere. You REQUIRE appropriate security and auditing on the remote
end. You don't allow remote connections from anywhere you don't require
them. Maybe you don't connect to the internet at all. You aggresively
audit your local users to make sure they're acting like they always do.
I think you're looking for a silver bullet. A layer of complexity that
will confuse you enough to feel safe, but some intrepid hacker will walk
right through. You think your solution will take "a lot of hacking." If
you're right, someone will do that lot of hacking and distribute the code.
I think you're much better off understanding the risk and taking
appropriate steps to mitigate it.
You raise a valid point, but it's a fundamental weakness of Unix, not of
openssh. Actually just a fundamental weakness in operating systems.
Something has to be the gatekeeper to the physical bits. Compromise the
gatekeeper and you own the system, whether that gatekeeper is a UID,
process, kernel, or chip.
Rob
--
------------------------------------------------------------------------------
Rob McCauley, GCFA
Senior IT Analyst
Radiation Oncology
Duke University Medical Center
More information about the openssh-unix-dev
mailing list