[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backport of the integer overflow in the brk system call

On Mon, 8 Dec 2003 13:16, Patrick Ouellette <pouelle@debian.org> wrote:
> On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
> > instance is the hacker sniffed the password, and then logged on to
> > Debian's servers later at his leisure from a different PC.  With a
> Instead of a smartcard/token/whatever physical device, this incident
> could possibly have been thwarted by requiring developers to pre-register
> their machine with the project (using ssh host key for example).  The
> attacker would have the user's account information, but project machines
> would have refused access since the host id did not match the user's
> registered hosts.  Then the project machine could have alerted both the
> project's admin team and the owner of the compromised account.

One problem with this is developer's machines that are on dial-up Internet 
connections.  In the case of such machines you can verify the host key but 
not the IP address.  Therefore if the machine is cracked then the host key 
can be stolen and the machine impersonated.

Another problem is that host keys require SUID ssh client in the default 
configuration.  This is bad in that a ssh client can potentially be used to 
crack the machine, and it can potentially be used to steal the host key.

If we change ssh to be setgid not setuid for host based authentication then 
things will be marginally improved.  But another thing that should be done is 
to have ssh support for the host key used for host-based authentication not 
being the same as that used for incoming ssh connections.

But this still leaves the issue of how to deal with dial-up machines.  Even if 
we restrict connections to a single ISP as often dial-up machines are not 
used with multiple machines, this still isn't necessarily much good, some 
dial-up ISPs have >50,000 IP addresses.

Finally, if the attacker can compromise the machine and the machine is online 
(EG permanently connected machines) there's no good options.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: