vulnerability with ssh-agent
Keld Jørn Simonsen
keld at dkuug.dk
Sun Jul 18 02:17:02 EST 2004
On Sat, Jul 17, 2004 at 05:41:31PM +0200, Peter Stuge wrote:
> On Sat, Jul 17, 2004 at 05:04:15PM +0200, Keld Jørn Simonsen wrote:
>
> > I am appauled by the ease it is to use the ssh-agent for an intruder.
>
> So don't use it.
ssh is much better than the alternatives... And openssh is the best:-)
That is why I would like to improve it.
> I'm being redundant now, but you can not protect regular user resources
> from root priviledge. If someone gets root in your system, game over,
> do restore and/or reinstall.
Yes, so much I understand. For the system that has been broken into.
But that is not my concern. I am trying to prevent that the damage
spreads to *other* systems, not yet intruded.
> > and it is probably accessible for a program with root permissions
> > without inheriting the fd.
>
> Again, being redundant; _everything_ in the system is accessible for
> a program with root permissions. Absolutely everything.
Yes, of cause. But it may be more difficult than just giving a single
shell command, which is quite obvious. What I am suggesting would need a
lot of hacking to break, I think. But I am not sure. Maybe it is easy
to just take the code out of the libraries and the kernel, and then hack
it a little, and then you have your own implementation of sockets, with
a twist.
And then again, I was unsure that even root could do
everything - maybe the kernel would not allow root to do some things
that the system calls do not support, such as writing to a socket which
the kernel knows that the particular root process does not have access to.
Also some of the information is availiable on other systems, eg via
forwardagent, so that root does not have immediate access to it.
> Unless..
>
> ..you really want to lock your system down, in that case please have
> a look at systrace, which allows very precise control over what
> userspace software can do and can not do to the system.
Yes, I will take a look.
>
> Hope this helps.
Yes, thanks for the input.
best regards
keld
More information about the openssh-unix-dev
mailing list