Trick user to send private key password to compromised host

Damien Miller djm at mindrot.org
Tue May 20 11:47:40 EST 2008


On Sat, 17 May 2008, Kevin Buhr wrote:

> Hi, Roman,
> 
> I commented on this issue quite some time ago.  See:
> 
>         http://marc.info/?t=95066120400001&r=1&w=2
> 
> It didn't generate much interest at the time, but I probably explained
> it poorly.  I agree with you that it is not a show-stopper, but I
> still think it represents a significant security problem.

Simple workaround: set IdentityFIle=none in the system-wide ssh_config
and make your users use ssh-agent.

Fixing this is not as simple as putting a "you are now authenticated"
message somewhere. Keyboard-interactive authentication can display 
arbitrary prompts, so a compromised server may display the spoofed 
question prior to authentication success.

Furthermore, in a ttyful environment, connections any warning message
can be erased through terminal manipulation. 

A so-compromised server could also pretend to fail pubkey authentication
entirely and ask for the user's password, which seems to be a more grave
threat (and completely impossible to defend against from the client side).

-d


More information about the openssh-unix-dev mailing list