Trick user to send private key password to compromised host
Roman Fiedler
roman.fiedler at telbiomed.at
Wed May 14 01:57:38 EST 2008
Karsten Künne wrote:
> On Tuesday 13 May 2008 05:01:25 Roman Fiedler imposed structure on a
> stream of electrons, yielding:
>> Hi list,
>>
>> I do not known, if this is really an issue but i noticed that when
>> connecting to a remote ssh host with the standard linux openssh client
>> using a private key, that there is no line of text indicating when the
>> local key-passwd process was completed and the connection session was
>> established.
>>
>> On a compromised host, the login shell could write the line 'Enter
>> passphrase for key 'guess the filename using the current account
>> name':'. If unnoticed, the user will think, that he misstyped the
>> passphrase and repeat it. After capturing the word, the login could
>> continue with the standard procedure (e.g. motd banner).
>>
>
> What does that have to do with openssh? On a compromised host the attacker can
> do all kind of neat tricks and doesn't have to rely on openssh. For instance,
> a keylogger would be able to catch even more stuff and is probably easier to
> set up.
> Karsten.
Sorry, seems that my first statement was not precise. If I connect from
my uncompromised local host A to some malicious host B, it could trick
me to reenter the private key password so that it is captured on B. This
would not be possible by installing an kestroke logger on B, only
openssh "acts" as the "keystroke logger" in this case.
Of course, for a compromised A, openssh would not have to be blamed.
Roman
More information about the openssh-unix-dev
mailing list