[CentOS] sshd hack

Sat Mar 11 17:32:37 UTC 2006
Bruno S. Delbono <Bruno.S.Delbono at Mail.AC>

Jeff Kinz wrote:
> If your ssh keys are in a file on a remote server, does that mean anyone
> who has root on that system can use them to gain access to ssh into your home
> system?

It depends. There are two types of keys..public and private keys. 
Obviously, you only need to upload the public key to the server you want 
to login (as authorized_keys with OpenSSH). The private key should be 
password protected (i.e. NO BLANK PASSWORDS dsa/rsa keys).

If someone has root on a server where the private key is located, they 
can see the key. But after seeing the key, they need to know the IP/FQDN 
of the remote SSH server "AND" know the password of the private key 
(which is why having a pass-"phrase" is a better idea than pass-"word").

Not only that, but newer versions of SSH allow you to encrypt your 
known_hosts file. From Damien Miller's Post:

Added the ability to store hostnames added to ~/.ssh/known_hosts in a 
hashed format. This is a privacy feature that prevents a local attacker 
from learning other hosts that a user has accounts on from their 
known_hosts file.

So instead of hostnames being stored in plain text like:

 > yourhost.example.com ssh-rsa
AAAB3NzaC1yc2EAAAABIwAAAIEAp832eeMwYH…

They are hashed first, so they don’t reveal the hostname. E.g.:

 > |1|bRGYyrC+bfKZGGd5GZH4wo1AnsI=|xcQ+54QNVwQ+fBCldn0= ssh-rsa
AAA…

We added at the request of some MIT researchers who found that a 
substantial number of user private keys on shared systems are not 
encrypted (a really dumb thing to do, BTW). This lack of user care, 
coupled with the information in the known_hosts files, allowed attackers 
to spread their attacks to multiple systems.

Right now this is disabled by default, but administrators of sites with 
lazy users can turn it on with the HashKnownHosts
config flag.

If you do this, you should probably also hash your existing known_hosts 
file (ssh-keygen -H).


Warm Regards,

--
Bruno Delbono
Open-Systems Group
http://www.open-systems.org/users/bruno/