Overconfidence in SSH Protection 194
nitsudima writes to mention a post on the Informit site about the common misunderstandings surrounding SSH, and how well-intentioned admins may be creating holes in their own security by using it. From the article: "In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what's the risk? Maybe the hacker can't get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the 'safe' intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls?"
Huh? What? (Score:5, Insightful)
All I need is root? (Score:5, Insightful)
Root (Score:3, Insightful)
dont really understand the problem. (Score:5, Insightful)
Any sysadmin who configures sshd to allow direct access to a root account is incompetent and deserves to clean up the resulting mess when they are cracked.
So what should we worry about again?
OpenBSD? (Score:2, Insightful)
So you are calling the OpenBSD guys incompetent? After all, if you enable SSH in the default installation, you can SSH into that machine including as root.
The Key is Not Transmitted (Score:5, Insightful)
Re:dont really understand the problem. (Score:5, Insightful)
The exploit mentioned in the article doesn't rely on ssh being configured to connect directly to root. It relies on the attacker having gained root access on the box being ssh'd to by the sysadmin. Once the sysadmin has ssh'd to the comnpromised box (as any user) the attacker can then ssh to any other box the sysadmin has configured to use agent forwarding.
Two solutions to prevent this compromise of the rest of the network:
1) Don't allow the DMZ box to ssh anywhere; firewall it off. There should be no need to ssh FROM the DMZ box, only TO it.
2) Use a different public/private key pair for each box. That way, if you didn't firewall the DMZ off it would still fail on the key authentication. The drawback of this is a) the attacker can still ssh to your admin box which contains all of the private keys and b) you lose most of the advantage of agent forwarding; the ability to ssh through a chain of boxes without any but the first needing to store the private key.
I suppose the underlying message in the article is "You REALLY can't trust anything in a DMZ that may have been compromised. ssh is a tool that can be turned against you if one of your machines is compromised."
Never understood why they invented the SSH-AGENT (Score:2, Insightful)
ssh-agent is a solution to grant any process on the system full access to a means of authenticating through your private key. No comment ! There's nothing difficult in typing
a passphrase each time you connect to a remote site !
--
willy
high performance free load balancing solution - http://w.ods.org/haproxy/ [ods.org]
Re:Huh? What? (Score:4, Insightful)
So... how does this even remotely approach being news? Yes, if you type your passwords into a machine on which someone else has root, you have given those passwords to them! The horror! I had no idea!
The best thing I can say about this article summary is that it did not misrepresent the actual piece. The article itself was also muddled tripe, filled with semi-true and completely-irrelevant noise like "in unix, everything is a file..."
It appears that the author is just a firewall admin who's offended that ssh can be used to thwart his precious acls, and invested in giving the tool a bad name.
Re:dont really understand the problem. (Score:2, Insightful)
From the article: (emphasis mine)
The convoluted setup using the workstation and the patching server were irrelevant to the fact that there was an ssh-key connection to a compromised box which then used agent-forwarding to connect to and compromise other boxes in the DMZ.
As long as the DMZ is properly firewalled from the internal boxes it should be impossible to actively compromise them using a forwarded ssh key and hence you were completely correct in stating that your description of the attack was impossible. (I hope. If it were possible that would be... bad.
This would also mean that if the administrator had a different public-key/private-key pair for each box in the DMZ then the attacker could not agent-forward the ssh session to other boxes and would have to compromise each one manually. However, since most boxes in a DMZ are often configured identically with a load balancer in front of them, a flaw on one that allowed the inital compromise would likely be replicated to all the others and allow them to be compromised in the same way.
He also goes on to suggest that there might be a flaw in the administrator's patch loading scripts that allows execution of code on the patch-server but that is an entirely seperate issue and not concerned with ssh at all.
Bullet proof is hard to come by (Score:3, Insightful)
Anyone with the time and resources is going to find a way into your network. Many times security does not have to be bullet proof. Don't have to be faster than the bear, just faster than the large majority of other networks. Unless there's something really compelling on your system, they're likely to pick an easier target.
I use my home network as an example. I have one copy of XP on my system. What I consider the weak link in the security chain. It's on a NAT'd segment, I don't surf the internet with it and anything sensitive is on a TrueCrypt partition that I only mount when needed. Hardly bullet proof but not bad for Windows.
Re:Huh? What? (Score:4, Insightful)
Re:Huh? What? (Score:3, Insightful)
Sorry, doesn't work.
I'm an 3v1l h4x0r in complete control of untrusted host X. Some poor fool uses SSH to connect to the trusted, firewalled host Haven. At this point, since I'm in complete control of X, I can simply send commands from X to Haven, doing anything the user could - including launching an SSH or telnet client from Haven's command line. What ? Haven doesn't have them ? Then I simply send one, piping encoded data to uudecode, or perhaps a mail client (to send the file to the users own account - if it's machine-local delivery, it propably won't go through the companys mail server and won't be stripped for binaries), or maybe simply through some insane sed script to turn hexcodes back to binary format - but one way or another, I'll get the telnet client to Haven.
Well, now I have telnet in Haven, and can connect to any service running at Haven, with the connection seemingly originating from Haven itself. And of course I can connect to other intranet machines as well. Or I could use some kind of hex-to-bin proxy telnet-like program, and another one on X, to emulate agent forwarding.
The point is that as long as there is a connectiong between X and Haven, and Haven gives the user a command line interface, it is impossible to prevent the user from forwarding arbitrary connections over it. Or at least simply preventing SSHs native support for that won't stop it from happening.
The lesson: any machine that gives shell access to untrusted machines is untrusted.
Re:Huh? What? (Score:3, Insightful)
Don't use agent forwarding when connecting to an untrusted box?
Can you just mandate that as a policy or are there times when you absolutely have to use agent forwarding via an untrusted/DMZed machine? I don't think I've ever used a DMZ machine for agent forwarding, but then again it's not really a feature I've used very heavily.
Re:Home/Office network compromisation in 4 steps (Score:3, Insightful)
A more secure way would be to only allow non-port forwarded, remote desktop-style connections to a single cluster of terminal server machines. This would prevent direct remote attacks from the home machine against anything other than the terminal server on the terminal server ports. A compromised home machine could still allow someone to tunnel and login to the terminal server as you via remote control, but at least you have limited the attacker's access to a machine that you control and that isn't compromised. While your credentials would be compromised (via the keylogger/session shadower the attacher installed on your home machine), the attacker would only be able to do what you could do on the terminal server. You would be screwed when they detect "you" attempting to compromise internal security or sneaking out sensitive information, but the network would be much safer.
Alternately, if you don't have a terminal server-style (RDP, Citrix, LTSP, etc.) environment set up, you could have the tunnel gateway only allow RDP/Citrix/X access to the user's work desktop with similar security attributes.
Re:Huh? What? (Score:3, Insightful)
Remember the
Just from the "in unix, everything is a file...." I started seeing big money funding this article. I could be wrong, though...
I wonder if
Re:Huh? What? (Score:2, Insightful)
Re:Huh? What? (Score:2, Insightful)