[CentOS] sshd hack
Bruno S. Delbono
Bruno.S.Delbono at Mail.AC
Sat Mar 11 17:32:37 UTC 2006
Jeff Kinz wrote:
> If your ssh keys are in a file on a remote server, does that mean anyone
> who has root on that system can use them to gain access to ssh into your home
> system?
It depends. There are two types of keys..public and private keys.
Obviously, you only need to upload the public key to the server you want
to login (as authorized_keys with OpenSSH). The private key should be
password protected (i.e. NO BLANK PASSWORDS dsa/rsa keys).
If someone has root on a server where the private key is located, they
can see the key. But after seeing the key, they need to know the IP/FQDN
of the remote SSH server "AND" know the password of the private key
(which is why having a pass-"phrase" is a better idea than pass-"word").
Not only that, but newer versions of SSH allow you to encrypt your
known_hosts file. From Damien Miller's Post:
Added the ability to store hostnames added to ~/.ssh/known_hosts in a
hashed format. This is a privacy feature that prevents a local attacker
from learning other hosts that a user has accounts on from their
known_hosts file.
So instead of hostnames being stored in plain text like:
> yourhost.example.com ssh-rsa
AAAB3NzaC1yc2EAAAABIwAAAIEAp832eeMwYH…
They are hashed first, so they don’t reveal the hostname. E.g.:
> |1|bRGYyrC+bfKZGGd5GZH4wo1AnsI=|xcQ+54QNVwQ+fBCldn0= ssh-rsa
AAA…
We added at the request of some MIT researchers who found that a
substantial number of user private keys on shared systems are not
encrypted (a really dumb thing to do, BTW). This lack of user care,
coupled with the information in the known_hosts files, allowed attackers
to spread their attacks to multiple systems.
Right now this is disabled by default, but administrators of sites with
lazy users can turn it on with the HashKnownHosts
config flag.
If you do this, you should probably also hash your existing known_hosts
file (ssh-keygen -H).
Warm Regards,
--
Bruno Delbono
Open-Systems Group
http://www.open-systems.org/users/bruno/
More information about the CentOS
mailing list