LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

The coming Web security woes (News.com)

The coming Web security woes (News.com)

Posted Jul 12, 2005 0:39 UTC (Tue) by dlang (subscriber, #313)
In reply to: The coming Web security woes (News.com) by rqosa
Parent article: The coming Web security woes (News.com)

and this approach opens all those machines up to a transitive trust attack.

This is exactly the attack that was used to comprimise the supercomputer clusters last year. The attacker breaks into one machine that you use and then uses the trust embodied by your SSH keys to roam around all the other machines that you have access to with your credentials.

(Log in to post comments)

SSH transitive trust attack

Posted Jul 12, 2005 1:54 UTC (Tue) by dskoll (subscriber, #1630) [Link]

and this approach opens all those machines up to a transitive trust attack.

Presumably, you encrypt your SSH keys with a passphrase. And newer versions of SSH store hashes of hostnames in the "known hosts" file, making this kind of attack a lot harder.

SSH transitive trust attack

Posted Jul 12, 2005 2:02 UTC (Tue) by emkey (guest, #144) [Link]

Lets just say that there are still ways around that. And yes, I know of at least one which I won't mention here in public.

Anyone who doesn't authenticate to each and every system they connect to by means of some form of password (preferably a one time password) is very very foolish in my opinion if they don't think they are seriously compromising their security.

Takes me back to the days when sun shipped all their systems with /etc/hosts.equiv files that had nothing but a single plus and users created .rhosts files that included every system they logged into or from.

SSH transitive trust attack

Posted Jul 14, 2005 12:29 UTC (Thu) by nix (subscriber, #2304) [Link]

Lets just say that there are still ways around that. And yes, I know of at least one which I won't mention here in public.
That's more than mildly reminiscent of `the lurkers support me in e-mail'. (Obviously if a keylogger is running on your machine, your passphrase is toast!)

SSH transitive trust attack

Posted Jul 14, 2005 13:57 UTC (Thu) by emkey (guest, #144) [Link]

No, it is very much reminiscent of somebody (me) who doesn't want to give out sensitive information. And thats all I can say alas.

Transitive Trust is Red Herring

Posted Jul 12, 2005 2:03 UTC (Tue) by AnswerGuy (subscriber, #1256) [Link]

My knee jerk thought is that the users of ssh who had their keys used to attack lots of other systems should have been using ssh-agent.

However, that would lead to an escalation of "yeah! but ..." (but the compromised machine could have the keys snooped out of ssh-agent's memory or the pass phrases sniffed by a keyboard sniffer or a trojan copy of ssh or ssh-add or ... ad nauseum.

My point is that we are inevitably trusting some devices in any authentication scheme. I've heard of crackers who've employed intelligent keyboards as hardware keyloggers. Have you cracked open the case of your keyboard recently? Do you have a tamperproof seal on it? There's certainly room to slip in an extra couple of chips, connected in-line with the cable and capable of storing millions of keystrokes. I'd bet a reasonable skilled electronics hack could make something that would be installable within a few minutes and it could possibly include its own encrypted BlueTooth (so the attacker could fetch the stored keystrokes from several cubicles away, possibly even through a sealed window from anywhere in line of sight).

So the assertion that something like ssh or PGP or smart cards makes one "more vulnerable" is simply a red herring. Poor usage procedures might make that the case in some situations, but even the best practices cannot eliminate this "transitive trust."

JimD

Transitive Trust is Red Herring

Posted Jul 12, 2005 2:32 UTC (Tue) by dlang (subscriber, #313) [Link]

one final point on transitive trust, the attacks useing it are real, takeing place today against people who are saying 'I'm useing SSH so of course I'm safe', we aren't talking about a possible future escalation, we are talking about the here and now (IIRC the comprimise of the Debian servers last year was the same thing)

as for your argument about not trusting your keyboard, etc.

that is exactly why a smartcard needs to be fully self contained and not trust the system it's plugged into.

it doesn't nessasarily require any special reader, you could make one that plugged into a PCMCIA/USB/Compact Flash/etc slot (USB is close enough to universal that it's probably the best option right now)

the key is how it's used.

it needs to avoid exposing it's shared secrets to the host machine (you need to allow a host machine to load the key into it, but after that you shouldn't be able to read it back out)

it needs to limit how much it can be used (to keep an attacker from trying to query every possible challange-response pair from it). This could be as simple as limiting it to X authentications/second, or as complex as requiring the user to authorize the smartcard to respond each and every time (say a fingerprint reader on the card, remember you can't trust the computer to not tamper (or copy) with any user input before giving it to you)

and the interface for the device can also be very simple, you just need to feed it a couple pieces of data (the minimum being the challange from the remote site, but adding the userid the challange is for and what the site is claiming to be would allow for multiple usrid's per smartcard and logging in the smartcard which could be useful) and respond with the appropriate response. you could make it look like any sort of device that you want (a serial port or modem would be trivial to get the right interface to for example, and would take advantage of common OS drivers to support it)

the real complication is in handleing the public info and maintaining it on all the servers (which includes key renewal, revocation, etc)

Transitive Trust is Red Herring

Posted Jul 12, 2005 4:03 UTC (Tue) by rqosa (guest, #24136) [Link]

> IIRC the comprimise of the Debian servers last year was the same thing

According to Martin Schulze, the Debian break-in was done using a sniffed password.

The coming Web security woes (News.com)

Posted Jul 12, 2005 3:55 UTC (Tue) by rqosa (guest, #24136) [Link]

Simply breaking into a ssh server shouldn't be sufficient to get people's private keys, because there's never any need to store private keys on a machine with sshd running (or any outward-facing open ports) or transmit them over a network; if someone does that, it's their own fault.

Also, there's the possibility of using different keys for each server one connects to.

The coming Web security woes (News.com)

Posted Jul 12, 2005 5:04 UTC (Tue) by dlang (subscriber, #313) [Link]

you could use different keys for each server, but more important then that is to use different passphrases for each key, and now you're back to remembering a different password (passphrase) for each server, which is not practical for most people.

transitive trust attacks don't come from attacking the server, they come from attacking the client machine, gaining control of that machine and then accessing the machines that trust it (sometimes accessing them directly, frequently accesing them through the first comprimised machine)

the server being accessed through SSH only knows that the connection is comeing from machine A, it doesn't have any idea if it is joe user or henry hacker that's makeing that connection, the server is trusting the security of machine A to enforce that.

when people don't lock things down by IP as well you don't even know that the connection is comeing from machine A, you just know it's comeing from someone who has access to the cert, this could be joe user on his laptop, or it could be henry hacker who installed a keystroke logger on Joe's machine to get his passphrase and copies his keys while he was in there.

David Lang

The coming Web security woes (News.com)

Posted Jul 12, 2005 6:18 UTC (Tue) by rqosa (guest, #24136) [Link]

> transitive trust attacks don't come from attacking the server, they come from attacking the client machine, gaining control of that machine and then accessing the machines that trust it

But attacking a client machine, which presumably has no outward-facing open ports, is more difficult than attacking a server, and once a client machine has been compromised it could have a keystroke logger installed so a transitive trust attack could be done even if the user is using plain old passwords for authentication. OTOH, there's one-time passwords...

The coming Web security woes (News.com)

Posted Jul 12, 2005 13:51 UTC (Tue) by emkey (guest, #144) [Link]

Even one time passwords will not fully protect you.

The wider your trust boundary, the better the odds of compromise. The more critical/sensitive the application, the smaller that trust boundary should be.

ssh is a great tool. However, it is not magic. It is only as good as the underlying protocols and codebase allow it to be.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds