Trick user to send private key password to compromised host

[David A. Desrosiers]

On Tue, May 13, 2008 at 11:57 AM, Roman Fiedler
<roman.fiedler at telbiomed.at> wrote:
>  Sorry, seems that my first statement was not precise. If I connect from
>  my uncompromised local host A to some malicious host B, it could trick
>  me to reenter the private key password so that it is captured on B. This
>  would not be possible by installing an kestroke logger on B, only
>  openssh "acts" as the "keystroke logger" in this case.

A few years ago, a colleague of mine had a server that we were all
given accounts on. Many of us logged in and changed the default
password right away. Some other people who were given accounts never
logged in at all, and these accounts remained with the default
password (a plain-english password, no numbers, no punctuation).

At some point, one account on the machine was brute-forced on that
server, and the culprit got in using the plain-english password for
the username they guessed. Once they were in, they downloaded a
rootkit from Romania, compiled it into /tmp/ and rooted the machine.
They compromised the box REPLACING the default sshd with one that
captured the user's password on the first entry, and passed the user
through on the second attempt.

For every captured password, they sent that information back to a
different server in Romania, presumably to add to their big master
list of usernames and passwords to try against other machines.

The part that made this particular hack very slick, was the process
that captured the user's password, also looked at that user's
~/.ssh/known_hosts file, and then attempted to use THAT
username+password against all of the hosts listed there. It also
scanned $HOME and replicated its attack against all hosts listed in
each user's known_hosts file, spreading the "infection".

It was pretty nasty, and as I recall, not easy to detect at first,
other than some of us who were used to logging in with keys were
suddenly being prompted for our passwords.