bergman on 28 Feb 2007 16:28:56 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: ssh and trust (Was: Re: [PLUG] Putty and firewall piercing)



In the message dated: Wed, 28 Feb 2007 10:48:41 EST,
The pithy ruminations from Jeff Abrahamson on 
<Re: ssh and trust (Was: Re: [PLUG] Putty and firewall piercing)> were:
=> 

=> 
=> On Wed, Feb 28, 2007 at 10:33:45AM -0500, bergman@merctech.com wrote:
=> > In Art's question, the local machine is owned by an employer. This
=> > is fairly common. Assuming that the local machine has not been
=> > compromised, is run securely, and that you "trust" the admins who
=> > are running the machine, there's still a risk in that the employer
=> > has a right to the data (ie., your ssh key) stored on that
=> > machine. However, _if_ the ssh key was created with a passphrase,
=> > that key is useless without the passphrase.
=> 
=> Note that you still have to trust root if you use an ssh-agent.  If

Right. That's why I glossed over ssh-agent. Using ssh-agent also means that
you've got to be vigilant about not letting anyone else get access to your
keyboard...whether root or not...if someone uses your login session (ie., if you
get up to have a quick double-non-fat-semi-dry-half-caffiene-latte and don't
lock your keyboard) then they also have access to your remote server.


=> you don't trust root but an ssh-agent caches your pasphrase, root can
=> su to me and set the following environment variables like this:
=> 
=>     jeff@astra:~ $ env | grep SSH_
=>     SSH_AGENT_PID=3D10926
=>     SSH_AUTH_SOCK=3D/tmp/ssh-OnXBZ10839/agent.10839
=>     jeff@astra:~ $
=> 
=> and then I'm toast.
=> 
=> 
=> > The worst situation is that the ssh key has been created without a
=> > passphrase (or that the key was created on the untrusted machine,
=> > and the passphrase was sniffed when the key was created). In this
=> > situation, anyone with access to the key (and sniffed passphrase, if
=> > one was used) also has access to your remote server. Remember, the
=> > ssh key is protected with the standard filesystem ACLs.  How much do
=> > you trust the local admins (and how backup tapes are stored)?
=> 
=> Same if a key sniffer gets your passphrase later.  Again, you have to
=> trust root.

Yes. That's the fundamental issue...do you trust root (or, in the case of a 
truely public cyber-cafe, do you trust all the grubby fingers that have ever 
touched the keyboard before you)?

=> 
=> 
=> > In this case, the most secure method for using ssh from this host to
=> > connect to your remote machine is to use one-time passwords. The
=> > one-time password MUST be computed separately from the untrusted
=> > environment. This may mean using a PDA to generate the OTP or
=> > pre-generating a printed list of OTPs.
=> 
=> How do you have your machine demand OTP's?

There are many ways to do this.

Depending on your version of ssh, how it was compiled, and what OTP you want,
enable ChallengeResponseAuthentication or SkeyAuthentication in the sshd config
and use PAM to define your OTP mechanism.

Here are some examples from a site I use...but not one that I admin (my current
machines are all behind a firewall that blocks inbound ssh in favor of a VPN, so
I haven't set it up here...though I have in the past.)


====== /etc/pam.d/sshd =====================
# PAM configuration for the "sshd" service
#

# auth
auth            required        pam_nologin.so  no_warn
auth            sufficient      pam_krb5.so     no_warn try_first_pass
# pam_ssh has potential security risks.  See pam_ssh(8).
#auth           sufficient      pam_ssh.so      no_warn try_first_pass
auth            required        pam_unix.so     no_warn try_first_pass

# account
account         required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
# pam_ssh has potential security risks.  See pam_ssh(8).
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
password        sufficient      pam_krb5.so     no_warn try_first_pass
password        required        pam_unix.so     no_warn try_first_pass
============================================

========= /etc/pam.d/passwd ================
# passwd(1) does not use the auth, account or session services.

# password
password        include         system
============================================

========= /etc/pam.d/system ================
# System-wide defaults
#

# auth
auth            sufficient      pam_krb5.so             no_warn try_first_pass
auth            sufficient      pam_skey.so             no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
account         required        pam_krb5.so
account         required        pam_unix.so

# session
session         required        pam_lastlog.so          no_fail no_nested

# password
password        sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
============================================

========== /etc/pam.d/login ==============
# PAM configuration for the "login" service
#

# auth
auth            sufficient      pam_self.so             no_warn
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_skey.so             no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
account         requisite       pam_securetty.so
account         required        pam_login_access.so
account         include         system

# session
session         include         system

# password
password        include         system
============================================




Here are some examples:
	http://bernard.blackham.com.au/babble/2006/08/27/

	http://www.linux.ie/lists/pipermail/ilug/2005-August/083130.html
		[note: there are some errors here--ssh + PAM can be configured
			to use the ssh key first, and if that isn't supplied,
			then to fall back to OTP. Be sure to follow the entire
			thread for more details.]



=> 
=> --=20
=>  Jeff
=> 
=>  Jeff Abrahamson  <http://jeff.purple.com/>          +1 215/837-2287
=>  GPG fingerprint: 1A1A BA95 D082 A558 A276  63C6 16BF 8C4C 0D1D AE4B
=> 
=> --ZJcv+A0YCCLh2VIg
=> Content-Type: application/pgp-signature; name="signature.asc"
=> Content-Description: Digital signature
=> Content-Disposition: inline
=> 
=> -----BEGIN PGP SIGNATURE-----
=> Version: GnuPG v1.4.6 (GNU/Linux)
=> 
=> iD8DBQFF5aRZFr+MTA0drksRAkuPAKCdl7/wL5AKuExv+zk8fFEYzrk7PQCfXwfK
=> r+VIG2/KYIFIVQzQSRxnQlY=
=> =M3Bi
=> -----END PGP SIGNATURE-----
=> 
=> --ZJcv+A0YCCLh2VIg--
=> 
=> --===============0848769135==
=> Content-Type: text/plain; charset="us-ascii"
=> MIME-Version: 1.0
=> Content-Transfer-Encoding: 7bit
=> Content-Disposition: inline
=> 
=> ___________________________________________________________________________
=> Philadelphia Linux Users Group         --        http://www.phillylinux.org
=> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
=> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
=> 
=> --===============0848769135==--
=> 



-----
Mark Bergman    Biker, Rock Climber, Unix mechanic, IATSE #1 Stagehand

http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=bergman%40merctech.com

I want a newsgroup with a infinite S/N ratio! Now taking CFV on:
rec.motorcycles.stagehands.pet-bird-owners.pinballers.unix-supporters
15+ So Far--Want to join? Check out: http://www.panix.com/~bergman 


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug