LPK integration - summary and ideas

Howard Chu hyc at symas.com
Thu Jun 10 17:42:33 EST 2010

Philipp Marek wrote:
> Hello Dan,
> Am Mittwoch, 9. Juni 2010, 17:33:26 schrieb Dan Kaminsky:
>>> What this should help against is (I think) that the external process
>>> gets hijacked to provide attacker-supplied authorization information.
>>> The original mail wanted to check some kind of signature; to make that
>>> easier I proposed to just start the process once, with sshd, so that a
>>> simple file rename isn't sufficient to gain access.
>> This is a false security boundary.  At the point where file renames work,
>> there is little that can be done to defend against attack.

That was my point re: checking uid of the peer process being sufficient. If an 
attacker is already able to subvert files on the filesystem or assume the 
identity of a privileged server process, then all bets are off. You could go 
to the trouble of inventing a crypto handshake for IPC but it's wasted effort 
- either the machine's security is intact, and it's superfluous, or the 
machine has been compromised, and none of your key data is trustworthy.

When the system integrity really counts you'll have binaries and certificates 
mounted on a physically write-protected filesystem...

> Well, that was just a guess on my side.
> As I wrote, the mail at
> 	http://marc.info/?l=openssh-unix-dev&m=125655418812760&w=2
> had a few lines discussion about (hash/signature) verification of the
> AuthorizedKeysCommand.
> But as you'd have to check every library that might be loaded (including
> libnss*), even checking for LD_LIBRARY_PATH and so on, this might not be
> realistic.
> So I proposed to only start the program once - that should provide
> sufficient security, I think, because /usr/sbin/sshd could be attacked the
> same way.
>> I could see some wisdom in requiring a full path to the
>> ExternalAuthCommand app, though, since we already have such a
>> requirement for sshd itself.
> Ok, fine.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

More information about the openssh-unix-dev mailing list