Trick user to send private key password to compromised host
Damien Miller
djm at mindrot.org
Tue May 20 11:47:40 EST 2008
On Sat, 17 May 2008, Kevin Buhr wrote:
> Hi, Roman,
>
> I commented on this issue quite some time ago. See:
>
> http://marc.info/?t=95066120400001&r=1&w=2
>
> It didn't generate much interest at the time, but I probably explained
> it poorly. I agree with you that it is not a show-stopper, but I
> still think it represents a significant security problem.
Simple workaround: set IdentityFIle=none in the system-wide ssh_config
and make your users use ssh-agent.
Fixing this is not as simple as putting a "you are now authenticated"
message somewhere. Keyboard-interactive authentication can display
arbitrary prompts, so a compromised server may display the spoofed
question prior to authentication success.
Furthermore, in a ttyful environment, connections any warning message
can be erased through terminal manipulation.
A so-compromised server could also pretend to fail pubkey authentication
entirely and ask for the user's password, which seems to be a more grave
threat (and completely impossible to defend against from the client side).
-d
More information about the openssh-unix-dev
mailing list