Security
SSH: passwords or keys?
A recent discussion on the OpenSSH developers mailing list (openssh-unix-dev) debated the relative merits of passwords versus keys as ssh authentication methods. While password authentication has fallen out of favor over the last few years, there are still situations where it makes more sense than key-based authentication. As with many security decisions, the right choice is largely dependent on the threat model one is defending against.
Through no fault of its own, ssh is probably one of the most used (or abused) mechanisms for system compromise. Repeated brute force password-guessing attacks are a common "script kiddie" activity, which is why many administrators have turned off password authentication entirely. That means that users must have keys installed on hosts they need to access, leaving open another avenue of attack: the corresponding private keys.
When sshd is configured to disallow password authentication (via the PasswordAuthentication no directive in sshd_config), the server will no longer allow the traditional username/password pair to be used to authenticate a user. Instead, the user must generate a public/private key pair on each host that is to be used to access the sshd host (or one pair that gets shared among various client hosts—generally a bad practice). The public key gets installed in the user's authorized_keys file on the server and authentication is handled directly between the ssh client and server.
But what protects the private key? Depending on the user, and their level of security consciousness, protection could range from directory and file permissions on the private key file to a password that encrypts the private key. For password-protected keys, that means that the user must enter the password to decrypt the private key before the ssh client can use it to authenticate with the server. Since many users like key-based authentication because it doesn't require passwords, this extra level of key security can be annoying—and often gets omitted. That leaves private keys potentially accessible on the client system.
Davi Diaz wanted to know how to detect password-less keys on the server side so that authentications from those clients could be rejected. But, as Aris Adamantiadis and others pointed out, there is no way for the ssh server to know:
While password authentication has its downsides, there are some advantages
to it as
Mark Janssen noted: "while keys are better [than] passwords, it's
impossible to enforce passphrase quality on keys, while it is possible
to enforce some quality on passwords.
" Passwords can also be aged,
so that they must be changed with some frequency. Because account passwords
are under
the control of the server administrator, unlike most private key passwords, an
administrator can enforce strict requirements on them.
But, unlike passwords, private keys generally aren't used in multiple places, nor are they transmitted anywhere. It is a common, if insecure, practice for humans to use the same password on their LWN account that they do to log in with ssh to some other system. So, once a password is cracked or captured, it can often be used to gain access elsewhere.
There are also ways that compromising a single private key can lead to the compromise of multiple systems, however. If a password-less private key can be accessed—via the compromise of a client system or the theft of a laptop for example—an attacker can access any systems that have authorized that key. A single compromised private key will often allow an attacker access to multiple systems, either directly using the compromised key or by hopping to new systems that have their own password-less private keys. One particularly ugly scenario is for root to have authorized keys that allow a regular user on one system to automatically authenticate as root on the other. That is one good reason to disallow all root logins via ssh (PermitRootLogin no in sshd_config).
So, it would seem that disallowing password authentication for ssh and requiring users to password protect their private keys would go a long way towards eliminating compromises via ssh. There aren't any technological means to force passwords on private keys, but an administrator must either trust their users or disable their access. As Daniel Kahn Gillmor said:
At some level, you have to trust your users if they're going to use your system. And have good backups, easy recovery, and regular user education about good practices, of course ;)
On the other hand, requiring both keys and passwords would be even more secure. If the key was also password-protected—with a different password of course—that would make it stronger still. But the usual security/convenience tradeoff applies. That much protection will certainly annoy users, so it may only be necessary for the most sensitive systems.
There are many things that must be considered when making security decisions: the sensitivity of the data, the trustworthiness of the users, the threats being defended against, and so on. One of the things that makes security so difficult is that there is no "one size fits all" solution, each situation is different. The various authentication choices for ssh, and their relative strengths and weaknesses, just bear that out.
Brief items
BerliOS compromised
The BerliOS repository site has been compromised; indeed, it appears it has been compromised since 2005. What little information is available can be found from this (German) Heise article (Google translation) and a screen shot from the defaced site. According to the BerliOS system admin (a certain Jörg Schilling), no data has been tampered with, but those who have worked with or gotten code from BerliOS might want to be careful regardless.
Update: the Heise article is now available in English.
Google: a new approach to China
It may be a little off the LWN topic, but Google's a new approach to China is worth a read for anybody who hasn't yet seen it. It's a reminder of how important security practices are and what the risks of storing important data in "the cloud" can be. "Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties."
New vulnerabilities
DevIL: buffer overflow
| Package(s): | DevIL | CVE #(s): | CVE-2009-3994 | ||||||||
| Created: | January 13, 2010 | Updated: | January 13, 2010 | ||||||||
| Description: | The DevIL image processing library suffers from a buffer overflow vulnerability exploitable via a specially-crafted image file. | ||||||||||
| Alerts: |
| ||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox-3.5 | CVE #(s): | CVE-2009-3980 CVE-2009-3982 CVE-2009-3388 CVE-2009-3389 | ||||||||||||||||||||||||||||
| Created: | January 8, 2010 | Updated: | December 3, 2013 | ||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel, Olli Pettay, and David James discovered several flaws in the browser and JavaScript engines of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3980, CVE-2009-3982) David Keeler, Bob Clary, and Dan Kaminsky discovered several flaws in third party media libraries. If a user were tricked into opening a crafted media file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-3388, CVE-2009-3389) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
firefox: denial of service
| Package(s): | firefox | CVE #(s): | CVE-2010-0220 | ||||||||
| Created: | January 11, 2010 | Updated: | January 13, 2010 | ||||||||
| Description: | From the Mandriva advisory: The nsObserverList::FillObserverArray function in xpcom/ds/nsObserverList.cpp in Mozilla Firefox before 3.5.7 allows remote attackers to cause a denial of service (application crash) via a crafted web site that triggers memory consumption and an accompanying Low Memory alert dialog, and also triggers attempted removal of an observer from an empty observers array (CVE-2010-0220). | ||||||||||
| Alerts: |
| ||||||||||
gif2png: buffer overflows
| Package(s): | gif2png | CVE #(s): | |||||||||
| Created: | January 13, 2010 | Updated: | November 22, 2010 | ||||||||
| Description: | The gif2png utility suffers from buffer overflow vulnerabilities exploitable from the command line. | ||||||||||
| Alerts: |
| ||||||||||
horde3: cross-site scripting vulnerability
| Package(s): | horde3 | CVE #(s): | CVE-2009-3701 | ||||||||||||||||
| Created: | January 7, 2010 | Updated: | April 1, 2010 | ||||||||||||||||
| Description: | From the Debian alert:
It has been discovered that the horde3 administration interface is prone to cross-site scripting attacks due to the use of the PHP_SELF variable. This issue can only be exploited by authenticated administrators. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
horde3: cross-site scripting vulnerability
| Package(s): | horde3 | CVE #(s): | CVE-2009-4363 | ||||||||||||||||
| Created: | January 7, 2010 | Updated: | April 1, 2010 | ||||||||||||||||
| Description: | From the Debian alert:
It has been discovered that horde3 is prone to several cross-site scripting attacks via crafted data:text/html values in HTML messages. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Kerberos: possible remote exploit
| Package(s): | krb5 | CVE #(s): | CVE-2009-4212 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 13, 2010 | Updated: | January 19, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Kerberos daemon does not properly handle invalid AES blocks; this vulnerability can be used to crash the service and, possibly, execute arbitrary code as root. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-4138 | ||||||||||||||||||||||||||||||||
| Created: | January 7, 2010 | Updated: | August 17, 2010 | ||||||||||||||||||||||||||||||||
| Description: | From the SuSE alert:
drivers/firewire/ohci.c in the Linux kernel when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-4306 | ||||
| Created: | January 7, 2010 | Updated: | January 13, 2010 | ||||
| Description: | From the SuSE alert:
Unspecified vulnerability in the EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel allows local users to cause a denial of service (filesystem corruption) via unknown vectors, a different vulnerability than CVE-2009-4131. | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-4307 | ||||||||||||||||||||||||||||
| Created: | January 7, 2010 | Updated: | December 19, 2012 | ||||||||||||||||||||||||||||
| Description: | From the SuSE alert:
The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value). | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-4308 | ||||||||||||||||||||||||||||||||||||
| Created: | January 7, 2010 | Updated: | October 8, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | From the SuSE alert:
The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2007-4567 CVE-2009-4536 CVE-2009-4537 CVE-2009-4538 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 8, 2010 | Updated: | July 5, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
a flaw was found in the IPv6 Extension Header (EH) handling implementation in the Linux kernel. The skb->dst data structure was not properly validated in the ipv6_hop_jumbo() function. This could possibly lead to a remote denial of service. (CVE-2007-4567) a flaw was found in each of the following Intel PRO/1000 Linux drivers in the Linux kernel: e1000 and e1000e. A remote attacker using packets larger than the MTU could bypass the existing fragment check, resulting in partial, invalid frames being passed to the network stack. These flaws could also possibly be used to trigger a remote denial of service. (CVE-2009-4536, CVE-2009-4538) a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. Receiving overly-long frames with network cards supported by this driver could possibly result in a remote denial of service. (CVE-2009-4537) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openttd: denial of services
| Package(s): | openttd | CVE #(s): | CVE-2009-4007 | ||||||||
| Created: | January 13, 2010 | Updated: | January 13, 2010 | ||||||||
| Description: | The OpenTTD server can be caused to crash by a remote attacker; version 0.7.5 fixes the bug. | ||||||||||
| Alerts: |
| ||||||||||
pdns-recursor: multiple vulnerabilities
| Package(s): | pdns-recursor | CVE #(s): | CVE-2009-4009 CVE-2009-4010 | ||||||||||||||||||||||||
| Created: | January 7, 2010 | Updated: | February 16, 2010 | ||||||||||||||||||||||||
| Description: | From the Red Hat
bug report:
This Wednesday the release of the PowerDNS Recursor 3.1.7.2 will be made public, which fixes two important security issues, one of which is remotely exploitable. Given the critical nature of these vulnerabilities, we are trying to keep details confidential for a few more days. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
phpldapadmin: remote file inclusion
| Package(s): | phpldapadmin | CVE #(s): | CVE-2009-4427 | ||||||||
| Created: | January 7, 2010 | Updated: | January 21, 2010 | ||||||||
| Description: | From the Debian alert: It was discovered that phpLDAPadmin, a web based interface for administering LDAP servers, doesn't sanitize an internal variable, which allows remote attackers to include and execute arbitrary local files. | ||||||||||
| Alerts: |
| ||||||||||
pidgin: directory traversal
| Package(s): | pidgin | CVE #(s): | CVE-2010-0013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 12, 2010 | Updated: | April 29, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
sendmail: several vulnerabilities
| Package(s): | sendmail | CVE #(s): | CVE-2009-4565 | ||||||||||||||||||||||||||||||||||||
| Created: | January 12, 2010 | Updated: | June 26, 2012 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: sendmail before 8.14.4 does not properly handle a '\0' (NUL) character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
sssd: authentication bypass
| Package(s): | sssd | CVE #(s): | CVE-2010-0014 | ||||||||
| Created: | January 13, 2010 | Updated: | January 13, 2010 | ||||||||
| Description: | In some situations, sssd will accept any password as valid when Kerberos is unreachable. | ||||||||||
| Alerts: |
| ||||||||||
trac: multiple vulnerabilities
| Package(s): | trac | CVE #(s): | CVE-2009-4405 | ||||
| Created: | January 13, 2010 | Updated: | January 13, 2010 | ||||
| Description: | Versions of trac prior to 0.11.6 suffer from "multiple unspecified vulnerabilities" with "unknown impact and attack vectors." | ||||||
| Alerts: |
| ||||||
transmission: directory traversal
| Package(s): | transmission | CVE #(s): | CVE-2010-0012 | ||||||||||||||||||||||||
| Created: | January 8, 2010 | Updated: | January 18, 2010 | ||||||||||||||||||||||||
| Description: | From the Debian advisory: Dan Rosenberg discovered that Transmission, a lightweight client for the Bittorrent filesharing protocol performs insufficient sanitizing of file names specified in .torrent files. This could lead to the overwrite of local files with the privileges of the user running Transmission if the user is tricked into opening a malicious torrent file. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>