James G. Sack (jim) wrote:
LWN has an article and some useful comments engendered by a ssh attack
which installs some kind of rootkit called phalanx2.
http://lwn.net/Articles/295712/
It is curious(!) that the referenced cert advisory at
http://www.us-cert.gov/current/#ssh_key_based_attacks
includes words that seem to recommend disabling(!!) key-based
authentication. I think the most sensible interpretation is that
key-based authentication should be disabled on hosts where penetration
_may_ have occurred -- but that doesn't seem right either. Maybe, they
are recommending that on a critical system until users and keys can be
re-verified.
Some of the comments cover strategies previously mentioned in a recent
ssh thread here.
Basically, once an attacker goes root, all keys on the machine are
compromised. That's not a surprise.
A password doesn't get around this either, if the attacker has root,
you're sniffed. Game, set, match.
The only thing which would get around this is an external factor
authentication system. For example, a keycard with changing PIN's.
Again, it's all about security vs. convenience vs. expense.
From my point of view, I'd probably try SecurID if it wasn't so blasted
expensive.
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
