SSH hacked?

Gilles Gravier gilles at gravier.org
Mon Jan 19 10:41:24 UTC 2009 

Hi!

Steve Lamb wrote:
> Gilles Gravier wrote:
>   
>> Carry your key in a USB stick.
>>     
>     Uhm, what USB stick?
>   
We live in 2009... USB ports and sticks have been available for over a
decade.
>> Or even better. Make your favorite SSH client available from a web page.
>> Use appGATE's MindTerm (http://www.appgate.com/mindterm/ - Java SSH
>> client which can be served as an application or an applet - it's free
>> for personal and even small business use, and source is available).
>>     
>     Ah, yes, and give people a place to get an SSH client right from your
> machine, adding a layer of redirection to the logs.  Smart!
>   
That's how you audit. Through logs. You want to secure? Securing without
auditing is against all best practices.

And it's only one of the multiple options.

You could also use a liveCD and package your favorite SSH client
(including one from over a decade ago if you feel better about it) and
your digital certificate (encrypted with a reasonable passphrase) and as
such have a mobile, secure (CDROMs are hard to write over) solution.
>> Telling users to use a secret sequence of port opens is just equivalent
>> to giving them a second password... and just as (in)safe. If I'm behind
>> such a user and I see them open sequential connects to a machine before
>> SSHing... it's an easy guess.
>>     
>     You'd see something handled by the client?  Interesting.
>   
How do you plan to use knockd from various places? If you need to send
knockd a series of requests in sequence on ports before it opens 22 for
your connection, you need to generate that sequence. Unless you plan to
trigger that by SMS (how do you handle lack of reception - and costs)
the only way is from the client, before launching your SSH client. I'm
curious as to how YOU go about triggering knockd when you are on a
machine that isn't your's.
>> You imagine that knockd is secure? What proof do you have that some
>> obscure vulnerability won't be found that enables a buffer overflow
>> opening ANY arbitrary port on the machine (I'm not saying that this is
>> the case today...).
>>     
>     I imagine it is, yes.  Tell me, how, exactly, would you construct a buffer
> overflow which attacks through the logs of the machine?  Pardon me if I don't
> wait for you to answer that.
>   
knockd is a binary and it listens on the network. Send it the right (or,
in this case, wrong) packets and you might trigger/exploit a bug.

Version 0.5 includes the following fix : " - Fixed memory leaks and
potential security vulnerabilities"

OK... So you claim to some security expertise. I trust you understand
this line to mean that knockd version 0.4 had known security
vulnerabilities... and I imagine you are familiar enough with software
development to realize that the fact that these have been fixed in 0.5
doesn't imply that 0.5 will not have it's own lot of security
vulnerabilities that either haven't been detected from previous version
or introduced by new code.
>> There is no 100% security.
>>     
>     Sure there is.  Yank the cable.  :P
>   
Old Amigas had no network cable... they still suffered from viruses
transmitted by floppies. You may be too young to have lived that time...
but I did.

If you meant the power cable. Yes. I appreciate the humor. It's been
suggested that machines without a power cable have no security issues.
Unfortunately, my cell phone has no power cable for 90% of the time I
use it. It's still vunlerable to many things.
>> Good, complex passwords are a very very good solution, in particular if
>> you change them often... but that only prevents somebody eavesdropping
>> over your shoulder. A good password shouldn't be vulnerable to a
>> dictionnary attack, and, as such, not really brute-forceable anyways.
>>     
>
>     And yet none of this still comes close to just not having the port open.
>   
But when you need SSH access to your machine. Strong authentication is
the way to go. Do you also use knockd to block your web server?
> I'm done arguing with your ignorance on this matter.  Quite simply you are
> arguing against decades of solid system security.  Don't open the port unless
> needed, just that simple.
And when you need it, use the decades-approved principle : KISS "keep it
simple stupid". Don't add an additional layer if you don't really need
it. If you add it, make sure you understand the risks, and have put in
place what is needed to mitigate them.

Rather than add an additional layer (knockd) I chose strong
authentication. Each situation has several possible ways to address it.
I'm not saying knockd is BAD. I'm just saying it's not the ultimate
silver bullet that you seem to imply here.
> Go ahead and reply again if you want to continue
> proving how foolish you are.
>   
That phrase is formulated like if you were a teen-ager. Decades of
security... Hum. I was hacking at systems back in 1986. Were you born
then? I'm a CISSP. Are you?

Gilles

More information about the ubuntu-users mailing list