Loomis, Rip
2001-Jun-01 13:46 UTC
Disabling Password-based auth? (was RE: recent breakins)
All-- But it's not as simple as forwarding the password-based authentication. Regardless of what method was used to SSH from system one (user's) to system two (SF), the user then started up *a second* SSH session to go from two (SF) to three (Apache). There is no effective way for any authentication information from the first session to be passed to the second, in my mind. Remember that the SF servers had suffered a root compromise--so any non-password-based authentication that would allow the user on the SF system to get to the Apache systems could have been equally compromised. The correct fix is *not* to disable password-based authentication, but to ensure that users understand that SSH is not a silver bullet. An SSH session should generally only be initiated from a more secure system to a less secure system--in my case, the system on my desk is one that I have personally hardened and that is closely monitored, so I have no problem using SSH to go out to my ISP and read mail. I would think *very* carefully before using SSH in reverse, since my ISP's systems are (IMHO) much less secure. I'm as appalled by what happened to SF and Apache as anyone else, but I would ask that we work on the user awareness issue, which I believe is the real "root" problem (pardon the pun). For the cases where someone needs to get from system A to system B with some basic level of security and doesn't have any other credentials/authentication available, there really is no substitute for password-based authentication. -- Rip Loomis Brainbench MVP for Internet Security http://www.brainbench.com (Transcript 1923411)> -----Original Message----- > From: Tom Holroyd [mailto:tomh at po.crl.go.jp] > Sent: Friday, June 01, 2001 4:53 AM > To: openssh-unix-dev at mindrot.org > Subject: Re: recent breakins > > > On Fri, 1 Jun 2001, Gert Doering wrote: > > > On Fri, Jun 01, 2001 at 11:24:49AM +0900, Tom Holroyd wrote: > > > But what about multiple links? It should be possible to forward > > > authentication requests back to the user's keyboard. The > SRP protocol can > > > be forwarded over any number of links, *even through a > trojaned ssh* > > > without revealing any information that a cracker can use. > > > > Same with agent forwarding and using RSAAuthentication. > > True. Too bad the guy wasn't using it. Why wasn't he using it? > > Perhaps OpenSSH should simply disallow password authentication? > > This type of man-in-the-middle attack (trojaned ssh) is not > theoretical > anymore, and password authentication is broken. > > > The question is, can password authentication be (securely) > forwarded? If > not, then we really should remove password authentication as > an option. >
Jason Stone
2001-Jun-01 13:59 UTC
Disabling Password-based auth? (was RE: recent breakins)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> But it's not as simple as forwarding the password-based > authentication. Regardless of what method was used to SSH from system > one (user's) to system two (SF), the user then started up *a second* > SSH session to go from two (SF) to three (Apache). There is no > effective way for any authentication information from the first > session to be passed to the second, in my mind. > > Remember that the SF servers had suffered a root compromise--so any > non-password-based authentication that would allow the user on the SF > system to get to the Apache systems could have been equally > compromised.That's exactly the point of SRP (well, one of the points) - it takes care of that - even if the host in the middle has been compromised and the attacker is sniffing all the ttys or something One can imagine other ways of ssh'ing through multiple systems without giving away passwords to the intermediate hosts. A trivial example - instead of saying "ssh -t host1 ssh host2" we can say instead "ssh -f -L 2222:host2:22 host1 'sleep 999999'; ssh -p 2222 localhost" - the latter commandline never allows host1 to see the plaintext of your password/key/whatever for host2. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7F5+1swXMWWtptckRAkBZAKCsXTzgmEebtaXiLaDiGfJwQVaqbACgpN2N zPTJ9c7I+aKTnR/RnFUqw0w=TlgR -----END PGP SIGNATURE-----