OpenSSH daemon security bug?

Jefferson Ogata Jefferson.Ogata at noaa.gov
Wed Jan 6 06:25:03 EST 2010 

On 2010-01-05 19:06, Michael Stone wrote:
> Also, it's worth noting that "well, people can mishandle passwords"
> isn't really a worthwhile argument. The question should be, "what threat
> are you trying to mitigate by using keys?" If you know what you're
> trying to do and why you're trying to do it, then you can have a
> rational discussion of the costs vs benefits of the two approaches. 
> (IMO, there's no single "right answer" for everbody, which is why it
> needs to be thought about.)

It's not "people can mishandle passwords". It's "people do mishandle
passwords".

For what it's worth, as an incident handler, I've witnessed a lot of
cases of password guessing against sshd in my days. I haven't seen a
single instance of someone stealing a passphrased pubkey and using that,
let alone discovering the passphrase on a key; the only compromises I've
seen that involve pubkeys are intruders using an unpassphrased key from
the system on which it resides to get to a related system, generally by
consulting .ssh/known_hosts. Of course, attacks against pubkeys are
possible, but they almost never happen.

The typical script kiddie who gets into your system has an ssh password
guessing tool that he uses to scan outbound from the compromised box,
and that's exactly how he got into the box. Of course, script kiddies
aren't your only threat, but you might be surprised how often they are
successful.

One of the things that happens when PasswordAuthentication is enabled is
that some lame sysadmin decides to set up some new software that
requires a dedicated userid. So he creates the user and assigns it a
weak password, with the intention of changing it "later" (never mind
that the user didn't need a password at all). Of course, a couple of
weeks later (if that) you start seeing the outbound ssh scans...

For me, it's a no-brainer. Turn off password auth.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

More information about the openssh-unix-dev mailing list