Overconfidence in SSH Protection 194
nitsudima writes to mention a post on the Informit site about the common misunderstandings surrounding SSH, and how well-intentioned admins may be creating holes in their own security by using it. From the article: "In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what's the risk? Maybe the hacker can't get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the 'safe' intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls?"
Hopefully, a better summary... (Score:3, Informative)
The submitter didn't summarise anything, he cut out a chunk which didn't make much sense on its own. It didn't help that the article was fairly long-winded. This is what I understand the author is trying to say:
As others have commented, this is kind of a "duh" moment. What's the next article?Basic Stuff (Score:5, Informative)
Anyone who tunnels from the DMZ to a trusted host which can execute commands on a sensitive server can't see the forest for the trees. You've learned how to use SSH and tunnel, but you're lacking some basic common sense.
Also, I don't see what good a socket catching the authentication will do
That whole article seemed a bit of voodoo itself. Many incongruous statements, like "If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the "safe" intranet."
What does that mean, exactly? You direct the authentication process to a socket file and point the process to the admin's credentials? If the socket is on the DMZ host, and the credentials are on the private network host, how can you point the authentication process to those credentials?
Maybe I'm stupid, but the article didn't seem to make a lot of sense.
Re:Huh? What? (Score:5, Informative)
User A on box foo:
foo> ssh-agent xterm
foo> ssh-add
* enters their pass key *
User A can now ssh to any box that has their public key in box:$HOME/.ssh/authorized_keys
User B (evul hacker with root on box foo):
foo# SSH_AGENT_PID=XXXX; export SSH_AGENT_PID
foo# SSH_AUTH_SOCK=/tmp/ssh-YYYY/ZZZZ; export SSH_AUTH_SOCK
User B now can ssh to any box that User A can, as above.
(where XXXX, YYYY, and ZZZZ are determined by evul hacker)
Re:Huh? What? (Score:2, Informative)
I think the main point (the one the article submitter picked up on) was that if an attacker can compromise your DMZ box (the most vulnerable box your company owns and hence the least trusted box your company owns) that has no private ssh keys stored on it and can't connect to any other trusted box but does have trusted boxes connecting to it, then he can use that to compromise further trusted boxes inside the organisation.
To put it another way, if you ssh to an attacker's machine using agent forwarding he can probably ssh back to yours.
AgentForwarding AS AN OPTIONAL FEATURE (Score:3, Informative)
Re:AgentForwarding AS AN OPTIONAL FEATURE (Score:4, Informative)
Rather than assume anyone^H^H^H^H^H^Heveryone on slashdot has any brains when it comes to Securing SSH let me give you some tips I/Other people have
Restricted ssh shell for scp/sftp http://sublimation.org/scponly/ [sublimation.org]
Patch to lock out IPs brute forcing passwords http://ethernet.org/~brian/src/timelox/ [ethernet.org]
Can add restrictions to authorized_keys file
from="hostipaddress",command="/usr/local/sbin/ssh
Securing sshd in
Protocol 2
PermitRootLogin without-password
PasswordAuthentication no
ChallengeResponseAuthentication no
ClientAliveInterval 60
ClientAliveCountMax 30
The first line says to stop using the old, lower security ssh protocol-1.
The second line is a hedge that says never allow root logins using the unix password -- always use some other authentication.
The third line says don't allow skey authentication. It is a good idea to turn this off if you aren't using skey at this time. (Skey implements a series of non-reusable, one-time passwords. If you were using it you would know.)
The fourth and fifth lines simply make sure that any connection to a client that doesn't respond at least once each half hour gets closed. After editing the sshd file, restart sshd or reboot for the changes to take effect.
31-12-2004: new rate-limiting feature in -current. This would block hosts that exceed 10 connections per 60 seconds.
pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \
keep state (max-src-conn-rate 10/60, overload )
block in on $ext_if proto tcp from to $ext_if port ssh
Also my previous post to do with limiting user connections to SSH during the scarey SSH port scanning days of not so long ago...
http://it.slashdot.org/comments.pl?sid=156058&cid
Repeated here for your convenience:
Ways around SSH Brute forcing (Score:1)
by meridian (16189) on 11:06 AM July 17th, 2005 (#13084357)
(http://www.thief.net/)
There are esentially three ways to fix this problem.
The first is to patch sshd which is probably the least preferable way as you would need to continually keep patching with each upgrade. But this seems effective allowing you to exec a system command such as iptables.
http://ethernet.org/~brian/src/timelox/ [ethernet.org] [ethernet.org]
The second is to use iptables to limit connection attempts from an IP address. One problem with this is people who use scp alot may quickly rack up that connection limit.
Here is a recent example from the iptables mailing list
iptables -A INPUT -p tcp --dport 22 -s ! $My_Home_Firewall_IP -m state --state NEW -m recent --name SSH --set --rsource -j SSH_BF
iptables -A SSH_BF -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
iptables -A SSH_BF -j LOG --log-prefix "SSH Brute Force Attempt: "
iptables -A SSH_BF -p tcp -j DROP
The best in my opinion is a pam module found at http://www.kernel.org/pub/linux/libs/pam/modules.
This does not have the problem of the IPTables method that may mistake multiple fast scps etc as an attack attempt, and will not require coninutal repatching of the kernel such as the timelox patches.
There is a reason.... (Score:5, Informative)
>>>
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.
So wha is slashdot running an article about something where there is an explicit one-paragraph long waring in the man page of program at the option in question.
Yes, no doutbt there are a lot of idiots around, who without understanding,do things which require semantics which leads to a security leak (there is abolutely no way if you want to initiate authenticatication from processes on a machine to avoid root to do the same - as log as you are not asked on the agent's side each time before authentication;
Re:Basic Stuff (Score:4, Informative)
When the admin logs into the DMZ host with agent forwarding turned on, SSH will create a socket to interact with the agent on the admin's machine. Since the wily hacker has root on the DMZ machine, he can write to and read from that socket with no problem, and thus can ask the agent to authenticate to anywhere that the agent is willing to authenticate to (what he actually would do is just set environment variables for SSH that say "I'm using agent forwarding, my agent is located at {admin's agent forwarding socket}").
Re:dont really understand the problem. (Score:2, Informative)
Or better yet, don't allow the DMZ host to initiate *any* connection outbound from itself, if the services present on it don't need to do such, or failing that, disallow it initiating any connection that isn't out the internet-only-facing interface(s).
However, that's still not what the attack is exploiting, and wouldn't prevent the attack.
The 'attack' is taking an (I)Internal (S)erver, an (I)nternal (W)orkstation, and a (D)MZ host. Your firewall/ACLs are set such that IS can't receive, or will reject, any connection from D. However IS will accept connections from IW, and furthermore IW can ssh to D. So, the well-meaning admin of D, using IW, ssh's to D, setting up a tunnel to forward traffic on port Dx on D back to IW, port IWx, and also ssh's from IW to IS, forwarding IWx to a service on IS. Thus you can now connection to (D's) localhost:Dx and end up talking to the service on IS.
At no point is any connection initiated from D outside of itself, as the data is simply passing back through the ssh tunnel from IW to D, and then back further from IW to IS. And, no, you can't firewall D from talking to any but necessary ports on D, as we're assuming root compromise of D and thus all such bets are off.
Now, if someone has compromised D *and* can hijack this tunnel D IW IS they have access to IS.
Of course the real solution to the base problem is to have IS set up in some way to push data out to D, such that IW's user/D's admin doesn't have to play such silly and dangerous games in the first place. Any such 'administrator' setting up what has been described is incompetent.
Now one last thing. The general attack hinges on an attacker's agent Aa being able to make use of the unix domain socket of the administrator's agent, Da. I'm very certain that when I tried this kind of attack on myself way back in 1998 or sooner it plain wasn't possible. If it is now then the (Open, whatever)ssh code has taken a step backwards. Basically some check was done on the origin of the messages on the socket, and if they weren't as expected the request to use the keys in the agent was denied. I think it was along the lines of "is the requesting process a (sub(sub...))child of myself?", presumably by following parent process IDs back up until it finds itself or init. Yes, ok, if the agent spawned any child that spawned a service that was subsequently compromised and not put in a new session group you could probably pull off the attack, but that is unlikely (as any service daemonising itself will end up in a new session group).
Because it's useful? (Score:1, Informative)
ssh-agent is a solution to grant any process on the system full access to a means of authenticating through your private key.
Any process? Presumably this is only if you have deliberately made the socket files world-readable?
The alternatives to ssh-agent are password authentication and host-based authentication. I'm sure I don't need to remind you about the security issues with those!
Re:Huh? What? (Score:5, Informative)
Re:The Key is Not Transmitted (Score:4, Informative)
Perhaps the author of the article should have read the source of the text you quoted [openbsd.org]. The preceding paragraph:
So the only people who will be caught out by this are those who:
Configuring the agent to prompt the user to confirm any signing request can be as complicated as putting the private key on a smart card (which will make the reader prompt for a PIN whenever the card recieves a signing request) or it can be as simple as using the -c option when calling ssh-add; therefore this does not seem like a big deal to me.
They haven't heard of ssh-add -c? (Score:5, Informative)
2004 article mentions this (Score:3, Informative)
Re:So... (Score:5, Informative)
It's more of a credential hijacking scenario where
the attacker waits for you to authenticate with
the compromised machine, forward your credentials
to that machine, and then the attacker uses those
credentials to reach other machines that honor those
credentials.
This would be more like you signing in, walking
away from your computer, and someone else walkup up
to the computer and doing stuff as you except that
they get to act as you while you're still acting
as you.
Did that help?
Summary to the Summary (Score:3, Informative)
Re:Huh? What? (Score:2, Informative)
Re:dont really understand the problem. (Score:3, Informative)
Copying from a man-page is not news (Score:3, Informative)
-A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
So what's the news?