[CentOS] defense-in-depth possible for sshd?

Tue Jan 10 10:11:44 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/10/2012 2:02 AM, Adrian Sevcenco wrote:
> On 01/10/12 11:12, Bennett Haselton wrote:
>> What about sshd -- assuming that the attacker can connect to sshd at all
>> (i.e. not prevented by a firewall), if they find an exploit to let them
>> take control of sshd, would that imply immediate total control of the
> UsePrivilegeSeparation
> Specifies whether sshd(8) separates privileges by creating an 
> unprivileged child process to deal with incoming network traffic. 
> After successful authentication, another process will be created that 
> has the privilege of the authenticated user.  The goal of privilege 
> separation is to prevent privilege escalation by containing any 
> corruption within the unprivileged processes.  The default is ``yes''. 
> If UsePrivilegeSeparation is set to ``sandbox'' then the 
> pre-authentication unprivileged process is subject to additional 
> restrictions.
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
OK.  So it sounds like if you found a particular exploit in sshd that 
could *only* do certain things -- like write a file to an arbitrary 
location on disk -- then this privilege separation would prevent that 
exploit from being used to make the child process write somewhere that 
it didn't have privileges to write to.

On the other hand if you found an exploit that let you take complete 
control of sshd, you could just tell it "allow logins from root, accept 
'foo' as the password, and then do whatever you were going to do 
before", and that would presumably work, wouldn't it?

Bennett