[svlug] Configuring Server - SSH Trouble + Security Considerations

Wed Oct 25 09:00:39 PDT 2006

Quoting Don Marti (dmarti at zgp.org):

> I choose not to allow passworded ssh logins at all.
> How do I know when a user chooses the same password
> on my system as on an insecure site somewhere else?

A reasonable strategy, and it probably reduces your risk a bit.
However, I have long held a theory that the main way SSH access tokens
get stolen on the Internet goes like this:

$BADUSER has shell on an indifferently administered university machine, 
hunts around for local vulnerabilities, and cracks root.  Installs
rootkit to hide his/her subsequent actions, replacing many local 
binaries with trojaned substitutes, including /usr/bin/ssh and the
kernel console driver.  $USER logs in, and in due course sshes outbound
to host2.  A week later, $BADUSER, in rummaging through other captured
data, notices and stows away $USER's outbound access information,
including ssh private key and passphrase (from logged console data).  
$BADUSER now sshes to host2, scps over his/her 'sploit collection, 
cracks root, and repeats the cycle.

Please notice how this regimen works for $BADUSER almost as easily and
routinely with public keypair authentication as with ssh passwords, even 
if the sysadmins and users do all key-handling steps correctly.  Which
was of course how the sensitive internal network of [former Linux
company that couldn't seem to make up its mind what to name itself] got
famously H4X0Red by some script kiddie.

The one thing $USER can do to counter that threat model is to expose
his/her tokens only on the more-trusted end of the ssh tunnel.  E.g., if
I were $USER sshed in from my laptop to the university host, and wanted
to scp some files back to my laptop, I'd _always_ run the scp process on
the laptop,  ( "pulling" the files from my end, rather than "pushing"
them from the remote one), such that my passphrase or password is in the
console driver and RAM only _there_, and never on the less-trusted
university host.

> I have few enough users to make this practical --
> if I had any more I'd figure out how to make signed
> packages to distribute an /etc/ssh/ssh_known_hosts
> to everyone.

Reminds me:  Everyone, if you carry around a USB pendrive, put your SSH
and gpg keys on it, along with your ~/.ssh/known_hosts file .  The
latter is essential if you're going to avoid the "Am I feeling lucky and 
want to accept this host key?" dilemma every time you ssh back to your
usual locations from somewhere new.