Subject: Re: setuid ssh
To: None <sommerfeld@orchard.arlington.ma.us>
From: Luke Mewburn <lukem@cs.rmit.edu.au>
List: tech-security
Date: 10/19/2000 12:58:59
by mail.netbsd.org with SMTP; 19 Oct 2000 02:01:25 -0000
by wombat.cs.rmit.edu.au (8.9.3/8.9.3/cshub) with ESMTP id MAA09821;
Thu, 19 Oct 2000 12:59:01 +1100 (EST)
Message-Id: <200010190159.MAA09821@wombat.cs.rmit.edu.au>
From: Luke Mewburn <lukem@cs.rmit.edu.au>
Reply-to: lukem@cs.rmit.edu.au
To: sommerfeld@orchard.arlington.ma.us
Cc: Andrew Brown <atatat@atatdot.net>, Atsushi Onoe <onoe@sm.sony.co.jp>,
cjs@cynic.net, hubert.feyrer@informatik.fh-regensburg.de,
tech-security@netbsd.org
Subject: Re: setuid ssh
In-Reply-To: Your message of "Wed, 18 Oct 2000 10:16:25 -0400 "
<20001018141630.AE17D2A2A@orchard.arlington.ma.us>
Date: Thu, 19 Oct 2000 12:58:59 +1100
Bill Sommerfeld writes:
> > i believe they can, but am placing the difficulty level a little
> > higher than breaking into a machine via some other means and obtaining
> > root privs (so as to steal all the keys).
>
> If an attacker gets root privs, "game over"... they can replace the
> kernel and change the rules of the game.
i think the difference is this:
- with .shosts on the target machine, the target machine
controls who can access. you can prevent access by changing
~/.shosts on the target machine (once).
to spoof, you need to have a copy of the private host key from a
source machine and spoof the ip address. this can be much harder
if you have reasonable router rules and people are attacking from
an `off site' machine
- with a passphraseless key, someone can compromise any machine
with that key, and use that whenever they like until you
change that key on every host with that key, no matter where
they are.
sure, if they get root on the target machine you're stuffed in both
cases...
i have `more secure' machines having the ability to ssh as root
to `less secure' machines as root using ~root/.shosts, and
sshd.config options such as:
IgnoreRootRhosts no # allow ~root/.shosts
IgnoreRhosts yes # ignore ~/.shosts
RhostsAuthentication no
RhostsRSAAuthentication yes
IgnoreUserKnownHosts yes
does ssh actually *need* a privleged port if you're using
RhostsRSAAuthentication? what am i missing?