vulnerability with ssh-agent

Ben Lindstrom mouring at etoh.eviladmin.org
Sun Jul 18 02:22:09 EST 2004 


On Sat, 17 Jul 2004, Peter Stuge wrote:

> On Sat, Jul 17, 2004 at 05:04:15PM +0200, Keld Jørn Simonsen wrote:
[..]
> Again, being redundant; _everything_ in the system is accessible for
> a program with root permissions. Absolutely everything.
>
> Unless..
>
> ..you really want to lock your system down, in that case please have
> a look at systrace, which allows very precise control over what
> userspace software can do and can not do to the system.
>

Even that root can bypass systrace rules if he/she so wished.  Trusted
UNIX or extend ACL that enforce permissions even at the root level are the
only effect ways.

Problem with all Trusted UNIX systems is frankly they are over designed
and add soo much code in the common code paths they are asking to be
breached (Again, my person belief.. but I'm no one so I can be safely
ignored =).

>
> > I also need to consider whether the ssh -c option is enough for me
> > and my small advisory, and if it works as I would like it to do.
>
> Not ssh -c, ssh-add -c. It's as good as it can get with the agent.
>

And only useful if the attacker is coming in the front door and you are on
an X-terminal to recieve the messages.  Rather worthless if you are on a
console or remote ssh connection using ssh-agent on another trusted remote
machine.

Oh any modern UNIX there should be getpeereid() which is the best you can
hope for to keep people off your private sockets other than file
permissions.

ssh-add -t / ssh-agent -t  may be more useful.  Mainly if you know your
key will be used for the next XX minutes and then not used for a long time
afterwards.  This would limit the unencrypted key material in memory.

Only thing that would be interesting to try would be to add a key with -t
then lock the agent.  and see if the agent still reaps the key after the
lifetime has expired (Never tried it mysef since I rarely use ssh-agent,
and when I do it is from my laptop).

Going off on a side thought.. The reason why ssh-agent doesn't encrypt
private data by default is that the key to decrypt it would have to be
either laying around in memory or the user would have to be prompted for
it everytime. Where the latter would defeat the whole reason for
ssh-agent.  The former would just be obscurity and wouldn't really stop
someone from compermising the decrypted key material.

- Ben

More information about the openssh-unix-dev mailing list