Compromised servers, SSH keys, and replay attacks
Andrew Daviel
advax at triumf.ca
Fri Jun 25 12:15:59 EST 2010
We had an incident recently where an openssh client and server were
replaced with trojanned versions (it has SKYNET ASCII-art in the binary,
if anyone's seen it. Anyone seen the source code ?). The trojan ssh &
sshd both logged host/user/password, and probably had a login backdoor.
Someone asked me what was their exposure if they used public/private keys
instead of passwords.
My suspicion is, for this particular trojan, zero.
But in general, I wondered what credentials could possibly be exposed to
a modified SSH client or server.
I imagine, if the client is modified it could capture passphrases, and
the private key (which could be in any case read from
the filesystem of a rooted box), in addition to I/O on the user terminal.
If a server is modified, I'm not so sure. I don't believe it could access
the passphrase which should never leave the client. I presume it could
capture the public key, which could be read from the filesystem anyway.
And I presume it could capture traffic to/from the virtual terminal.
Is there any way for an attacker to replay authentication to a third
machine, accessed via the compromised machine using ssh-agent ?
If a user connects to a compromised machine using keys, but from an
untainted client, do they need to change their keys or passphrase ?
(I presume, in principle, that an attacker could steal private user keys
and machine keys from a rooted server, then subvert the DNS and entice
users to login to their own server instead. Though I'm not sure why
they'd want to do that having got server root. Bypass a firewall, maybe.)
--
Andrew Daviel, TRIUMF, Canada
More information about the openssh-unix-dev
mailing list