Overconfidence in SSH Protection 194
nitsudima writes to mention a post on the Informit site about the common misunderstandings surrounding SSH, and how well-intentioned admins may be creating holes in their own security by using it. From the article: "In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what's the risk? Maybe the hacker can't get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the 'safe' intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls?"
So... (Score:1, Interesting)
Isn't that why SSH displays that "Private key SO:ME:WE:IR:DL:ET:TE:RS belongs to IP 127.0.0.1" or whatever?
Not a SSH problem? (Score:3, Interesting)
Re:dont really understand the problem. (Score:4, Interesting)
Duh.
Re:Huh? What? (Score:4, Interesting)
Re:Hopefully, a better summary... (Score:5, Interesting)
It's not quite as straightforward of a duh moment (after all, server A on its own can't log into server B), it's basically just saying "when you log into a server and have agent forwarding turned on, you allow anyone with root access on that server to log into anywhere your agent can log into".
Re:OpenBSD? (Score:1, Interesting)
Re:Huh? What? (Score:2, Interesting)
Wash, rinse, repeat.
Before you know it your whole DMZ is rooted (in more than one sense).
In short:
- If you find a compromised box on your network, assume there's more than one and order pizza... you're in for a long night.
- Segregate your networks so if someone, say, gets at your DMZ there's no way to get into your internal or other production network i.e. no ssh or accessible services on your firewall machines on the DMZ interfaces.
i.e. It's not just an issue with ssh.
Re:There is a reason.... (Score:1, Interesting)
Re:Not a SSH problem? (Score:1, Interesting)
IMHO, the REAL problem that people have with SSH is this:
1) If you turn an IDS on your network and all traffic is going to port 22 and everything is encrypted then you have NO IDEA what really goes on in your network.
2) A compromised home system will be able to masquerade as its owner inside the intranet.
Example of making intranet services available to the whole world:
#make the ssh server on my work desktop available in my home network (on server joeshouse.org):
ssh -L9999:joedesktop.work.com:22 joe@gateway.work.com
#make the accounting server available for the whole world at http://joeshouse.org:8000/ [joeshouse.org]
ssh -g -p 9999 -L8000:accounting.work.com:80 joe@localhost
#ditto for the cvs server (probably ssh encrypted access)....
ssh -g -p 9999 -L8878:cvs.work.com:22 joe@localhost
Example of refusing to use the official proxy server while at work, using personal from house instead
ssh -L9999:joeshouse.org:22 joe@joeshouse.org
ssh -p 9999 -L3128:localhost:3128 joe@localhost
Example of playing on my favorite gaming server for a 3:00am game before I head home for the night:
ssh -L9999:joeshouse.org:22 joe@joeshouse.org
ssh -p 9999 -L2379:goserver.igoweb.org:2379 joe@localhost
In every case, the admin sees nothing but ssh traffic from joedesktop.work.com to joeshouse.org:22. Nothing other than the volume of traffic would trigger suspicion. End users in the network have actual privacy under this scenario, which conflicts with having accountability. You have to actually trust your end users now.
Where I work, the admin basically just shuts down all incoming access to a single ssh gateway, and an http proxy going out. He doesn't take requests to open up ports and such. He will tell you to use ssh and do it yourself. Implicit in this is the idea that this does defend from outside attacks on the network, but it places a level of trust in the employees (to be neither extremely stupid nor malicious)
You can tell yourself that if you get rid of SSH, this problem will go away, but ANY tunnel can be used to do this (https://joeshouse.org for instance). You can set up an SSL service on joeshouse.org:443 and it happens to just be a tunnel to ssh. You could create an SSL tunnel that lets you set up port forwards just like SSH does now, with no way the proxy could tell what happens under that encryption. The fact that the tunnel is encrypted means that you can't spy on users to try to limit what they do. We are the kind of employee population where almost everyone knows all the routes around official policy, so you just have to tell them what activities are prohibited (don't run p2p at work, dont visit pr0n sites, etc) and enforce by non-technical means.
SSH-AGENT doesn't make a root level exploit worse (Score:3, Interesting)
I've cleaned up boxes that had been rootkitted, and if you can't identify when it happened so you can restore from a known good backup you're best off reinstalling from scratch.
The same thing is true, to a lesser extent, for local user privileges. Do you check that $PATH doesn't go through ~/bin before
Once someone can run unsandboxed code on your computer you're compromised, and any tool you use to examine your computer may be compromised, and ssh-agent make so little difference that it's simply not worth worrying about.
Re:Copying from a man-page is not news (Score:2, Interesting)
Re:Huh? What? (Score:2, Interesting)