OpenSSH daemon security bug?
Jefferson Ogata
Jefferson.Ogata at noaa.gov
Wed Jan 6 10:51:57 EST 2010
On 2010-01-05 20:37, Michael Stone wrote:
> On Tue, Jan 05, 2010 at 07:25:03PM +0000, Jefferson Ogata wrote:
>> For what it's worth, as an incident handler, I've witnessed a lot of
>> cases of password guessing against sshd in my days. I haven't seen a
>> single instance of someone stealing a passphrased pubkey and using that,
>
> Consider yourself lucky. :-) Next question: how strong were the guessed
> passwords? (Rhetorical; you note later down that they were generally the
> result of someone doing something dumb. Note that the facilities to
> centralize and enforce password policy are fairly common--how do you
> prevent that same admin from doing something dumb with the key "just
> temporarily"?)
I'm not lucky. If you've seen someone steal a key *and* a passphrase and
use it, you're the lucky/unlucky one. I've been doing incident response
for over 10 years and I've never seen that happen.
Of course admins can be dumb in many ways, but they're far more likely
in practice to be dumb in the way of assigning a weak password while
creating a role account, than in the way of creating a passphraseless
keypair for a role account and somehow sharing the private key.
>> let alone discovering the passphrase on a key; the only compromises I've
>> seen that involve pubkeys are intruders using an unpassphrased key from
>> the system on which it resides to get to a related system, generally by
>> consulting .ssh/known_hosts.
>
> Yup, that would be it.
>
>> Of course, attacks against pubkeys are
>> possible, but they almost never happen.
>
> *OF COURSE* nobody is attacking the keys cryptographically, that's not
> the weak link.
I'm not talking about cryptographic attacks; I'm talking about attacks
against passphrase protection on keys, e.g. keyloggers. It's possible,
but it's not a problem people are having to deal with on a frequent basis.
--
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
More information about the openssh-unix-dev
mailing list