By Jake Edge
January 13, 2010
A recent discussion on the OpenSSH developers mailing list (openssh-unix-dev) debated the
relative merits of passwords versus keys as ssh authentication methods.
While password authentication has fallen out of favor over the last few
years, there are still situations where it makes more sense than key-based
authentication. As with many security decisions, the right choice is
largely dependent on the threat model one is defending against.
Through no fault of its own, ssh is probably one of the most used (or
abused) mechanisms for system compromise. Repeated brute force
password-guessing attacks are a common "script kiddie" activity, which is
why many
administrators have turned off password authentication entirely. That
means that users must have keys installed on hosts they need to access,
leaving open
another avenue of attack: the corresponding private keys.
When sshd is configured to disallow password authentication (via the
PasswordAuthentication no directive in sshd_config), the
server will no longer allow the traditional username/password pair to be
used to authenticate a user. Instead, the user must generate a
public/private key pair on each host that is to be used to access the sshd
host (or one pair that gets shared among various client
hosts—generally a bad practice). The public key gets installed in
the user's
authorized_keys file on the server and authentication is handled
directly between the ssh client and server.
But what protects the private key? Depending on the user, and their level
of security consciousness, protection could range from directory and file
permissions on the private key file to a password that encrypts the private
key. For password-protected keys, that means that the user must enter the
password to decrypt the private key before the ssh client can use it to
authenticate with the server. Since many users like key-based
authentication because it doesn't require passwords, this extra level of
key security can be annoying—and often gets omitted. That leaves
private keys
potentially accessible on the client system.
Davi Diaz wanted to know how to detect
password-less keys on the server side so that authentications from those
clients could be rejected. But, as Aris Adamantiadis and others pointed out, there is no way for the ssh
server to know:
Using password-protected keys, the decryption of the private key
is done on client side (to protect the confidentiality of the key), and
there is nothing in the SSH protocol which could stop the behavior of
accepting "less secure keys because they were stored in clear".
While password authentication has its downsides, there are some advantages
to it as
Mark Janssen noted: "while keys are better [than] passwords, it's
impossible to enforce passphrase quality on keys, while it is possible
to enforce some quality on passwords." Passwords can also be aged,
so that they must be changed with some frequency. Because account passwords
are under
the control of the server administrator, unlike most private key passwords, an
administrator can enforce strict requirements on them.
But, unlike passwords, private keys generally aren't used in multiple
places, nor are they transmitted anywhere. It is a common, if insecure,
practice for humans to use the same password on their LWN account that they
do to log in with ssh to some other system. So, once a password is cracked
or captured, it can often be used to gain access elsewhere.
There are also ways that compromising a single private key can lead to the
compromise of multiple systems, however. If a password-less private key can be
accessed—via the compromise of a client system or the theft of a
laptop for example—an attacker can access any systems that have
authorized that key. A single compromised private key will often allow an
attacker access to multiple systems, either directly using the compromised
key or by hopping to new systems that have their own password-less
private keys. One
particularly ugly scenario is for root to have authorized keys that allow a
regular user on one system to automatically authenticate as root on the
other. That is one good reason to disallow all root logins via ssh
(PermitRootLogin no in sshd_config).
So, it would seem that disallowing password authentication for ssh and
requiring users to password protect their private keys would go a long way
towards eliminating compromises via ssh. There aren't any technological
means to force passwords on private keys, but an administrator must either
trust their users or disable their access.
As Daniel Kahn Gillmor said:
If you're worried that your users might leave an unprotected key lying
around, you should *also* be worried that those same users might send
their password via e-mail (even if it's just "to themselves as a
reminder"), or write it in a cleartext file on their computer, reuse it
for their amazon account, for their blog, etc.
At some level, you have to trust your users if they're going to use your
system. And have good backups, easy recovery, and regular user
education about good practices, of course ;)
On the other hand, requiring both keys and passwords would be even
more secure. If the key was also password-protected—with a
different password of course—that would make it stronger
still. But the usual security/convenience tradeoff applies. That much
protection will certainly annoy users, so it may only be necessary for the
most sensitive systems.
There are many things that must be considered when making security
decisions: the sensitivity of the data, the trustworthiness of the users,
the threats being defended against, and so on. One of the things that
makes security so difficult is that there is no "one size fits all"
solution, each situation is different. The various authentication choices
for ssh, and their relative strengths and weaknesses, just bear that out.
Comments (60 posted)
Brief items
The
BerliOS repository site has been
compromised; indeed, it appears it has been compromised since 2005. What
little information is available can be found from
this
(German) Heise article (
Google
translation) and
a screen
shot from the defaced site. According to the BerliOS system admin (a
certain Jörg Schilling), no data has been tampered with, but those who
have worked with or gotten code from BerliOS might want to be careful
regardless.
Update: the Heise article is now available in English.
Comments (19 posted)
It may be a little off the LWN topic, but Google's
a new approach to China is worth a read for anybody who hasn't yet seen it. It's a reminder of how important security practices are and what the risks of storing important data in "the cloud" can be. "
Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties."
Comments (38 posted)
New vulnerabilities
DevIL: buffer overflow
| Package(s): | DevIL |
CVE #(s): | CVE-2009-3994
|
| Created: | January 13, 2010 |
Updated: | January 13, 2010 |
| Description: |
The DevIL image processing library suffers from a buffer overflow vulnerability exploitable via a specially-crafted image file. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox-3.5 |
CVE #(s): | CVE-2009-3980
CVE-2009-3982
CVE-2009-3388
CVE-2009-3389
|
| Created: | January 8, 2010 |
Updated: | June 14, 2010 |
| Description: |
From the Ubuntu advisory:
Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel, Olli Pettay, and
David James discovered several flaws in the browser and JavaScript engines
of Firefox. If a user were tricked into viewing a malicious website, a
remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-3980, CVE-2009-3982)
David Keeler, Bob Clary, and Dan Kaminsky discovered several flaws in third
party media libraries. If a user were tricked into opening a crafted media
file, a remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-3388, CVE-2009-3389)
|
| Alerts: |
|
Comments (none posted)
firefox: denial of service
| Package(s): | firefox |
CVE #(s): | CVE-2010-0220
|
| Created: | January 11, 2010 |
Updated: | January 13, 2010 |
| Description: |
From the Mandriva advisory:
The nsObserverList::FillObserverArray function in
xpcom/ds/nsObserverList.cpp in Mozilla Firefox before 3.5.7 allows
remote attackers to cause a denial of service (application crash)
via a crafted web site that triggers memory consumption and an
accompanying Low Memory alert dialog, and also triggers attempted
removal of an observer from an empty observers array (CVE-2010-0220).
|
| Alerts: |
|
Comments (none posted)
gif2png: buffer overflows
| Package(s): | gif2png |
CVE #(s): | |
| Created: | January 13, 2010 |
Updated: | November 22, 2010 |
| Description: |
The gif2png utility suffers from buffer overflow vulnerabilities exploitable from the command line. |
| Alerts: |
|
Comments (none posted)
horde3: cross-site scripting vulnerability
| Package(s): | horde3 |
CVE #(s): | CVE-2009-3701
|
| Created: | January 7, 2010 |
Updated: | April 1, 2010 |
| Description: |
From the Debian alert:
It has been discovered that the horde3 administration interface is prone
to cross-site scripting attacks due to the use of the PHP_SELF variable.
This issue can only be exploited by authenticated administrators. |
| Alerts: |
|
Comments (none posted)
horde3: cross-site scripting vulnerability
| Package(s): | horde3 |
CVE #(s): | CVE-2009-4363
|
| Created: | January 7, 2010 |
Updated: | April 1, 2010 |
| Description: |
From the Debian alert:
It has been discovered that horde3 is prone to several cross-site
scripting attacks via crafted data:text/html values in HTML messages. |
| Alerts: |
|
Comments (none posted)
Kerberos: possible remote exploit
| Package(s): | krb5 |
CVE #(s): | CVE-2009-4212
|
| Created: | January 13, 2010 |
Updated: | January 19, 2010 |
| Description: |
The Kerberos daemon does not properly handle invalid AES blocks; this vulnerability can be used to crash the service and, possibly, execute arbitrary code as root. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-4138
|
| Created: | January 7, 2010 |
Updated: | August 17, 2010 |
| Description: |
From the SuSE alert:
drivers/firewire/ohci.c in the Linux kernel when
packet-per-buffer mode is used, allows local users to cause a denial
of service (NULL pointer dereference and system crash) or possibly have
unknown other impact via an unspecified ioctl associated with receiving
an ISO packet that contains zero in the payload-length field. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-4306
|
| Created: | January 7, 2010 |
Updated: | January 13, 2010 |
| Description: |
From the SuSE alert:
Unspecified vulnerability in the EXT4_IOC_MOVE_EXT
(aka move extents) ioctl implementation in the ext4 filesystem in
the Linux kernel allows local users to cause a denial of service
(filesystem corruption) via unknown vectors, a different vulnerability
than CVE-2009-4131. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-4307
|
| Created: | January 7, 2010 |
Updated: | December 19, 2012 |
| Description: |
From the SuSE alert:
The ext4_fill_flex_info function in fs/ext4/super.c
in the Linux kernel allows user-assisted remote attackers to cause a
denial of service (divide-by-zero error and panic) via a malformed ext4
filesystem containing a super block with a large FLEX_BG group size
(aka s_log_groups_per_flex value). |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-4308
|
| Created: | January 7, 2010 |
Updated: | October 8, 2010 |
| Description: |
From the SuSE alert:
The ext4_decode_error function in fs/ext4/super.c in the
ext4 filesystem in the Linux kernel allows user-assisted remote attackers
to cause a denial of service (NULL pointer dereference), and possibly
have unspecified other impact, via a crafted read-only filesystem that
lacks a journal. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2007-4567
CVE-2009-4536
CVE-2009-4537
CVE-2009-4538
|
| Created: | January 8, 2010 |
Updated: | July 5, 2011 |
| Description: |
From the Red Hat advisory:
a flaw was found in the IPv6 Extension Header (EH) handling
implementation in the Linux kernel. The skb->dst data structure was not
properly validated in the ipv6_hop_jumbo() function. This could possibly
lead to a remote denial of service. (CVE-2007-4567)
a flaw was found in each of the following Intel PRO/1000 Linux drivers in
the Linux kernel: e1000 and e1000e. A remote attacker using packets larger
than the MTU could bypass the existing fragment check, resulting in
partial, invalid frames being passed to the network stack. These flaws
could also possibly be used to trigger a remote denial of service.
(CVE-2009-4536, CVE-2009-4538)
a flaw was found in the Realtek r8169 Ethernet driver in the Linux
kernel. Receiving overly-long frames with network cards supported by this
driver could possibly result in a remote denial of service. (CVE-2009-4537)
|
| Alerts: |
|
Comments (none posted)
openttd: denial of services
| Package(s): | openttd |
CVE #(s): | CVE-2009-4007
|
| Created: | January 13, 2010 |
Updated: | January 13, 2010 |
| Description: |
The OpenTTD server can be caused to crash by a remote attacker; version 0.7.5 fixes the bug. |
| Alerts: |
|
Comments (none posted)
pdns-recursor: multiple vulnerabilities
| Package(s): | pdns-recursor |
CVE #(s): | CVE-2009-4009
CVE-2009-4010
|
| Created: | January 7, 2010 |
Updated: | February 16, 2010 |
| Description: |
From the Red Hat
bug report:
This Wednesday the release of the PowerDNS Recursor 3.1.7.2 will be made
public, which fixes two important security issues, one of which is remotely exploitable.
Given the critical nature of these vulnerabilities, we are trying to keep
details confidential for a few more days. |
| Alerts: |
|
Comments (none posted)
phpldapadmin: remote file inclusion
| Package(s): | phpldapadmin |
CVE #(s): | CVE-2009-4427
|
| Created: | January 7, 2010 |
Updated: | January 21, 2010 |
| Description: |
From the Debian alert:
It was discovered that phpLDAPadmin, a web based interface for administering
LDAP servers, doesn't sanitize an internal variable, which allows remote
attackers to include and execute arbitrary local files. |
| Alerts: |
|
Comments (none posted)
pidgin: directory traversal
| Package(s): | pidgin |
CVE #(s): | CVE-2010-0013
|
| Created: | January 12, 2010 |
Updated: | April 29, 2010 |
| Description: |
From the Mandriva advisory:
Directory traversal vulnerability in slp.c in the MSN protocol
plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
remote attackers to read arbitrary files via a .. (dot dot) in an
application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
a related issue to CVE-2004-0122. NOTE: it could be argued that
this is resultant from a vulnerability in which an emoticon download
request is processed even without a preceding text/x-mms-emoticon
message that announced availability of the emoticon. |
| Alerts: |
|
Comments (none posted)
sendmail: several vulnerabilities
| Package(s): | sendmail |
CVE #(s): | CVE-2009-4565
|
| Created: | January 12, 2010 |
Updated: | June 26, 2012 |
| Description: |
From the Mandriva advisory:
sendmail before 8.14.4 does not properly handle a '\0' (NUL)
character in a Common Name (CN) field of an X.509 certificate, which
(1) allows man-in-the-middle attackers to spoof arbitrary SSL-based
SMTP servers via a crafted server certificate issued by a legitimate
Certification Authority, and (2) allows remote attackers to bypass
intended access restrictions via a crafted client certificate issued by
a legitimate Certification Authority, a related issue to CVE-2009-2408
|
| Alerts: |
|
Comments (none posted)
sssd: authentication bypass
| Package(s): | sssd |
CVE #(s): | CVE-2010-0014
|
| Created: | January 13, 2010 |
Updated: | January 13, 2010 |
| Description: |
In some situations, sssd will accept any password as valid when Kerberos is unreachable. |
| Alerts: |
|
Comments (none posted)
trac: multiple vulnerabilities
| Package(s): | trac |
CVE #(s): | CVE-2009-4405
|
| Created: | January 13, 2010 |
Updated: | January 13, 2010 |
| Description: |
Versions of trac prior to 0.11.6 suffer from "multiple unspecified vulnerabilities" with "unknown impact and attack vectors." |
| Alerts: |
|
Comments (none posted)
transmission: directory traversal
| Package(s): | transmission |
CVE #(s): | CVE-2010-0012
|
| Created: | January 8, 2010 |
Updated: | January 18, 2010 |
| Description: |
From the Debian advisory:
Dan Rosenberg discovered that Transmission, a lightweight client for
the Bittorrent filesharing protocol performs insufficient sanitizing
of file names specified in .torrent files. This could lead to the
overwrite of local files with the privileges of the user running
Transmission if the user is tricked into opening a malicious torrent
file.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
