SSH authentication in the clear

1 view
Skip to first unread message

Aaron Toponce

unread,
Dec 21, 2009, 1:42:07 PM12/21/09
to oa...@googlegroups.com
First, if an attacker has physical access to a machine, all bets are
off. Period.

Second, read up on this blog post by Joseph Hall:
http://blog.josephhall.com/2009/12/fun-with-sshd-and-strace.html

Third, realize that root can do _anything_ on a machine he pleases. The
best approach that I'm aware of is an RBAC-based system, like something
with SELinux RBAC, or equivalent. So, long story short, trust your
system administrator.

Lastly, this technique that jphall is describing can happen on _any_ SSH
service, regardless if the server is provided by OpenSSH, SunSSH,
SSH.com, or otherwise. The fact of the matter is, strace is a debugging
utility, and it's debugging the system calls made on the system. You can
use other debugging utilities to sniff out key strokes, rather than
system calls, and get the same results.

So, in short, what does this mean? Well, it's a good advocate for using
SSH keys for your authentication, rather than passwords. As long as your
private SSH key(s) is/are strongly passphrase protected, and you keep
it/them in a secure private location, there isn't much an attacker could
do with SSH key-based authentication.

If you're curious, I have successfully verified this "attack" on
FreeBSD, RHEL, Debian (all three OpenSSH servers), Solaris (SunSSH), and
HPUX (whatever it's using- I think OpenSSH).

I wouldn't necessarily call this a bug, or hole, as again, an attacker
who has root can do so much more on your machine. Interesting nonetheless.

--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O

signature.asc
Reply all
Reply to author
Forward
0 new messages