[CentOS] defense-in-depth possible for sshd?

Gordon Messmer yinyang at eburg.com
Sat Jan 14 00:59:34 UTC 2012


On 01/10/2012 01:12 AM, Bennett Haselton wrote:
> What about sshd -- assuming that the attacker can connect to sshd at all
> (i.e. not prevented by a firewall), if they find an exploit to let them
> take control of sshd, would that imply immediate total control of the
> machine?

Yes, but the question itself ignores the extensive security that 
accompanies sshd.

OpenSSH's server already features defense-in-depth.

OpenSSH's server features privilege separation, a mechanism in which the 
network connections and encryption are handled by a process which is 
unprivileged.  Attacks against connection handling or encryption won't 
get you root access.

OpenSSH's server code has been thoroughly audited for security.

Red Hat's build of OpenSSH's server features an SELinux policy.  Attacks 
which require system access not granted by the policy won't work.

All of Red Hat's systems feature shared lib address randomization, to 
protect against stack attacks.

Your hypothetical attack that takes control of sshd would have to defeat 
a number of levels of defense.  You compared sshd to httpd, which runs 
as a non-root user, but ignore that its *purpose* is to grant shell 
access to the system.  No matter what additional layers you add to sshd, 
a successful attack is going to grant shell access, because that's the 
purpose of the daemon.  You can't lower the privilege level of sshd to 
the point that an attacker can't get a shell (which is what was done to 
httpd) without making the service useless.



More information about the CentOS mailing list