vulnerability with ssh-agent

Keld Jørn Simonsen keld at dkuug.dk
Sun Jul 18 06:54:57 EST 2004 

On Sat, Jul 17, 2004 at 01:10:40PM -0400, Rob McCauley wrote:
> 
> > > I'm being redundant now, but you can not protect regular user resources
> > > from root priviledge. If someone gets root in your system, game over,
> > > do restore and/or reinstall.
> >
> > Yes, so much I understand. For the system that has been broken into.
> > But that is not my concern.  I am trying to prevent that the damage
> > spreads to *other* systems, not yet intruded.
> 
> With all due respect, no you don't.  Remote system is compromised.  The
> intruder is, for all intents and purposes, any user account on the system
> or all of them.  With a little patience, the remote intruder WILL get into
> your system if you permit logins from that compromised system.  You simply
> can't expect a compromised system to protect you.

Yes, an intruder probably could get in to my server if my laptop was
compromised. But would he not need the dsa key?
Or maybe my passwd?
And the only place he can get it is in the ssh-agent?
Or is the id_dsa file enough?
Or could he crack the id_dsa key?
I thought this was difficult (took long time), with 1024 bits.

> I'm sorry, but if you *really* need this functionality, I think the
> closest you're going to get is one time passwords, and even they can be
> intercepted by root on the remote system.  The intruder logs in via the
> captured password, the real user gets a failure message and things "Oops,
> I fat fingered my password." tries with the next one time password and
> gets in, none the wiser that YOUR box has just been compromised.  Audit
> and investigate ANY time a one time password use fails, perhaps.

I would like to avoid typing passwords and keys, not just because it is
cumbersome, but because it is unsafe. That is, if my system is
compromised, most rootkits have a keylogger, and then I am sold.

My aim is that I have written a guide for average users, and a
commenter said there were holes in it.  I am trying to see if I can mend
the holes.

> I think you're looking for a silver bullet.  A layer of complexity that
> will confuse you enough to feel safe, but some intrepid hacker will walk
> right through.  You think your solution will take "a lot of hacking."  If
> you're right, someone will do that lot of hacking and distribute the code.
> I think you're much better off understanding the risk and taking
> appropriate steps to mitigate it.

yes, but it is difficult to see where the pitfalls are. It was not clear
to me how vulnerable my server would be if my laptop was compromised.
I probably should set up the server to only accept dsa, not passwd,
which is only 64 bit and crackable.


best regards
keld

More information about the openssh-unix-dev mailing list