Compromised servers, SSH keys, and replay attacks

[Andrew Daviel]

We had an incident recently where an openssh client and server were 
replaced with trojanned versions (it has SKYNET ASCII-art in the binary, 
if anyone's seen it. Anyone seen the source code ?). The trojan ssh & 
sshd both logged host/user/password, and probably had a login backdoor.

Someone asked me what was their exposure if they used public/private keys 
instead of passwords.

My suspicion is, for this particular trojan, zero.
But in general, I wondered what credentials could possibly be exposed to 
a modified SSH client or server.

I imagine, if the client is modified it could capture passphrases, and 
the private key (which could be in any case read from 
the filesystem of a rooted box), in addition to I/O on the user terminal.

If a server is modified, I'm not so sure. I don't believe it could access 
the passphrase which should never leave the client. I presume it could 
capture the public key, which could be read from the filesystem anyway.
And I presume it could capture traffic to/from the virtual terminal.

Is there any way for an attacker to replay authentication to a third 
machine, accessed via the compromised machine using ssh-agent ?

If a user connects to a compromised machine using keys, but from an 
untainted client, do they need to change their keys or passphrase ?

(I presume, in principle, that an attacker could steal private user keys 
and machine keys from a rooted server, then subvert the DNS and entice 
users to login to their own server instead. Though I'm not sure why 
they'd want to do that having got server root. Bypass a firewall, maybe.)

-- 
Andrew Daviel, TRIUMF, Canada