Re: Backport of the integer overflow in the brk system call
On Mon, 8 Dec 2003 13:16, Patrick Ouellette <pouelle@debian.org> wrote:
> On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
> > instance is the hacker sniffed the password, and then logged on to
> > Debian's servers later at his leisure from a different PC. With a
>
> Instead of a smartcard/token/whatever physical device, this incident
> could possibly have been thwarted by requiring developers to pre-register
> their machine with the project (using ssh host key for example). The
> attacker would have the user's account information, but project machines
> would have refused access since the host id did not match the user's
> registered hosts. Then the project machine could have alerted both the
> project's admin team and the owner of the compromised account.
One problem with this is developer's machines that are on dial-up Internet
connections. In the case of such machines you can verify the host key but
not the IP address. Therefore if the machine is cracked then the host key
can be stolen and the machine impersonated.
Another problem is that host keys require SUID ssh client in the default
configuration. This is bad in that a ssh client can potentially be used to
crack the machine, and it can potentially be used to steal the host key.
If we change ssh to be setgid not setuid for host based authentication then
things will be marginally improved. But another thing that should be done is
to have ssh support for the host key used for host-based authentication not
being the same as that used for incoming ssh connections.
But this still leaves the issue of how to deal with dial-up machines. Even if
we restrict connections to a single ISP as often dial-up machines are not
used with multiple machines, this still isn't necessarily much good, some
dial-up ISPs have >50,000 IP addresses.
Finally, if the attacker can compromise the machine and the machine is online
(EG permanently connected machines) there's no good options.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: