vulnerability with ssh-agent

[Ben Lindstrom]

On Sat, 17 Jul 2004, Keld [iso-8859-1] Jørn Simonsen wrote:

> On Sat, Jul 17, 2004 at 10:59:41AM -0500, Ben Lindstrom wrote:
> >
> >
> > On Sat, 17 Jul 2004, Keld [iso-8859-1] Jørn Simonsen wrote:
> >
> > > I have taken the sources and done a little hacking, and I noticed a
> > > remark that the encryption of sensitive information in ssh-agent was a
> > > "TODO". So somebody else than me, and with some status in the project,
> > > enough to make comment on what to do, has also considered it a good
> > > idea, to encrypt keys and other stuff.
> >
> > You're misunderstanding the comment.  The comment is suggesting when
> > ssh-agent is locked that all private data should be encrypted beyond
> > setting the "locked" flag.
> >
> > It is not an over all "keep everything encrypted that is private".
>
> OK, sorry. What would be the difference between always keeping the data
> encrypted, and only when it is locked? It would be the same data, if I
> understand it correctly? I am looking for some obsfucation. I think,
> currently, the keys can be obtained by a root intruder by just using a
> standard debugger. I would like him to sweat a little.
>

One doesn't leave the locking passphrase in memory, and the other one
does.  Thus it adds nothing for security in the latter case.

Obsecurity is almost never worth the time spent.  A day or two after it
hits the CVS tree the real crackers have already updated their attacking
code, and a month later it filters down to the kiddy scripters.  This is
more so true for open source / free software projects who's changes are
open for the world to see.

So what does obsecurity gain you in this case?

I'd rather have time spent on real improvements then pissing away time
doing obsecurity tricks that will never last.  Even worse there has been
times when these tricks have actually introduced new security holes.

If you are looking for obsecurity instead of real security then you'll
find yourself writing it yourself and upkeeping it yourself.