|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: ssh and trust (Was: Re: [PLUG] Putty and firewall piercing)
|
In the message dated: Wed, 28 Feb 2007 10:48:41 EST,
The pithy ruminations from Jeff Abrahamson on
<Re: ssh and trust (Was: Re: [PLUG] Putty and firewall piercing)> were:
=>
=>
=> On Wed, Feb 28, 2007 at 10:33:45AM -0500, bergman@merctech.com wrote:
=> > In Art's question, the local machine is owned by an employer. This
=> > is fairly common. Assuming that the local machine has not been
=> > compromised, is run securely, and that you "trust" the admins who
=> > are running the machine, there's still a risk in that the employer
=> > has a right to the data (ie., your ssh key) stored on that
=> > machine. However, _if_ the ssh key was created with a passphrase,
=> > that key is useless without the passphrase.
=>
=> Note that you still have to trust root if you use an ssh-agent. If
Right. That's why I glossed over ssh-agent. Using ssh-agent also means that
you've got to be vigilant about not letting anyone else get access to your
keyboard...whether root or not...if someone uses your login session (ie., if you
get up to have a quick double-non-fat-semi-dry-half-caffiene-latte and don't
lock your keyboard) then they also have access to your remote server.
=> you don't trust root but an ssh-agent caches your pasphrase, root can
=> su to me and set the following environment variables like this:
=>
=> jeff@astra:~ $ env | grep SSH_
=> SSH_AGENT_PID=3D10926
=> SSH_AUTH_SOCK=3D/tmp/ssh-OnXBZ10839/agent.10839
=> jeff@astra:~ $
=>
=> and then I'm toast.
=>
=>
=> > The worst situation is that the ssh key has been created without a
=> > passphrase (or that the key was created on the untrusted machine,
=> > and the passphrase was sniffed when the key was created). In this
=> > situation, anyone with access to the key (and sniffed passphrase, if
=> > one was used) also has access to your remote server. Remember, the
=> > ssh key is protected with the standard filesystem ACLs. How much do
=> > you trust the local admins (and how backup tapes are stored)?
=>
=> Same if a key sniffer gets your passphrase later. Again, you have to
=> trust root.
Yes. That's the fundamental issue...do you trust root (or, in the case of a
truely public cyber-cafe, do you trust all the grubby fingers that have ever
touched the keyboard before you)?
=>
=>
=> > In this case, the most secure method for using ssh from this host to
=> > connect to your remote machine is to use one-time passwords. The
=> > one-time password MUST be computed separately from the untrusted
=> > environment. This may mean using a PDA to generate the OTP or
=> > pre-generating a printed list of OTPs.
=>
=> How do you have your machine demand OTP's?
There are many ways to do this.
Depending on your version of ssh, how it was compiled, and what OTP you want,
enable ChallengeResponseAuthentication or SkeyAuthentication in the sshd config
and use PAM to define your OTP mechanism.
Here are some examples from a site I use...but not one that I admin (my current
machines are all behind a firewall that blocks inbound ssh in favor of a VPN, so
I haven't set it up here...though I have in the past.)
====== /etc/pam.d/sshd =====================
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_krb5.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
# pam_ssh has potential security risks. See pam_ssh(8).
#session optional pam_ssh.so
session required pam_permit.so
# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
============================================
========= /etc/pam.d/passwd ================
# passwd(1) does not use the auth, account or session services.
# password
password include system
============================================
========= /etc/pam.d/system ================
# System-wide defaults
#
# auth
auth sufficient pam_krb5.so no_warn try_first_pass
auth sufficient pam_skey.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
account required pam_krb5.so
account required pam_unix.so
# session
session required pam_lastlog.so no_fail no_nested
# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
============================================
========== /etc/pam.d/login ==============
# PAM configuration for the "login" service
#
# auth
auth sufficient pam_self.so no_warn
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
account requisite pam_securetty.so
account required pam_login_access.so
account include system
# session
session include system
# password
password include system
============================================
Here are some examples:
http://bernard.blackham.com.au/babble/2006/08/27/
http://www.linux.ie/lists/pipermail/ilug/2005-August/083130.html
[note: there are some errors here--ssh + PAM can be configured
to use the ssh key first, and if that isn't supplied,
then to fall back to OTP. Be sure to follow the entire
thread for more details.]
=>
=> --=20
=> Jeff
=>
=> Jeff Abrahamson <http://jeff.purple.com/> +1 215/837-2287
=> GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B
=>
=> --ZJcv+A0YCCLh2VIg
=> Content-Type: application/pgp-signature; name="signature.asc"
=> Content-Description: Digital signature
=> Content-Disposition: inline
=>
=> -----BEGIN PGP SIGNATURE-----
=> Version: GnuPG v1.4.6 (GNU/Linux)
=>
=> iD8DBQFF5aRZFr+MTA0drksRAkuPAKCdl7/wL5AKuExv+zk8fFEYzrk7PQCfXwfK
=> r+VIG2/KYIFIVQzQSRxnQlY=
=> =M3Bi
=> -----END PGP SIGNATURE-----
=>
=> --ZJcv+A0YCCLh2VIg--
=>
=> --===============0848769135==
=> Content-Type: text/plain; charset="us-ascii"
=> MIME-Version: 1.0
=> Content-Transfer-Encoding: 7bit
=> Content-Disposition: inline
=>
=> ___________________________________________________________________________
=> Philadelphia Linux Users Group -- http://www.phillylinux.org
=> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
=> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
=>
=> --===============0848769135==--
=>
-----
Mark Bergman Biker, Rock Climber, Unix mechanic, IATSE #1 Stagehand
http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=bergman%40merctech.com
I want a newsgroup with a infinite S/N ratio! Now taking CFV on:
rec.motorcycles.stagehands.pet-bird-owners.pinballers.unix-supporters
15+ So Far--Want to join? Check out: http://www.panix.com/~bergman
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|