doing an ssh into a compromised host
I have discovered that one of the machines I have an account on has been hacked. As a result, I am left with the following worries. I have been doing ssh into the box. THe client is set up not to request the X forwarding by the default. When I try "ssh -v" now, I observe no X forwarding being established, whereas "ssh -X -v" does establish X. Question is, could the server have forced an X forwarding on me (w/o my knowledge) having sniffed my local keystrokes? FWIW, I have been doing "ssh-add" and then ssh w/o a need to enter any password during the authentication with the compromised remote host. Thanks for your explanations in advance, Vassilii -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
also sprach Vassilii Khachaturov <[EMAIL PROTECTED]> [2004.11.02.0759 +0100]: > I have been doing ssh into the box. THe client is set up not to > request the X forwarding by the default. When I try "ssh -v" now, > I observe no X forwarding being established, whereas "ssh -X -v" > does establish X. Question is, could the server have forced an > X forwarding on me (w/o my knowledge) having sniffed my local > keystrokes? FWIW, I have been doing "ssh-add" and then ssh w/o > a need to enter any password during the authentication with the > compromised remote host. If you forward your agent (-A, or ForwardAgent yes), then the attacker now probably has access to all machines where the SSH key you used has access. I am unaware of a way to hijack X Forwarding in the way you describe. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: doing an ssh into a compromised host
Greetings! On Tue, 2 Nov 2004 08:59:07 +0200 (IST) Vassilii Khachaturov <[EMAIL PROTECTED]> wrote: > I have been doing ssh into the box. THe client is set up not to > request the X forwarding by the default. When I try "ssh -v" now, I > observe no X forwarding being established, whereas "ssh -X -v" does > establish X. Question is, could the server have forced an X forwarding > on me (w/o my knowledge) having sniffed my local keystrokes? You could force the SSH client to *not* forward X11 with -x (the low-caps x char) regardless other client/server-side specifications. If you do not specify any other special forwarding (-L or -R) then there will be no forwarding. HTH Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
> You could force the SSH client to *not* forward X11 with -x > (the low-caps x char) regardless other client/server-side > specifications. If you do not specify any other special > forwarding (-L or -R) then there will be no forwarding. Good, that was what I was hoping for. (Obviously, my default /etc/ssh/ssh_config doesn't turn on the fwding by default.) Luckily, I am also not using any agent fwding as well. The box is remote, and I'll only have console access in a couple of days. Meanwhile, the only thing I have is looking at some offline backups and working remotely in the (compromised) environment. Right now I'm looking at the lsof output there, a curious entry from Apache shown by lsof: apache 3170 root memDEL0,5 0 /SYSV000 Does it ring the bell for anyone? (The box runs apache 1.3.26-0woody5). chkrootkit (inside the compromised environment, so it is no big surprise) doesn't report anything. V. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
> If you forward your agent (-A, or ForwardAgent yes), then the > attacker now probably has access to all machines where the SSH key > you used has access. Is this indeed true? I was under an impression that ForwardAgent works more in challenge-response fashion? And as far as X-forwarding goes - AFAIK if you're setup is like you describe, then your ssh does not request X-forwarding, thus, there's no way for remote server to force this upon you. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
> Meanwhile, the only thing I have is looking at some offline backups and > working remotely in the (compromised) environment. Right now I'm looking at > the lsof output there, a curious entry from Apache shown by lsof: > > apache 3170 root memDEL0,5 0 /SYSV000 > > Does it ring the bell for anyone? (The box runs apache 1.3.26-0woody5). belay that. This looks like the apache scoreboard. A sane apache2 machine has similar entries as well: apache2 1318 apache mem DEL 0,6 0 /SYSV0c0deb00 apache2 1926 apache mem DEL 0,6 0 /SYSV0c0deb00 apache2 2432 apache mem DEL 0,6 0 /SYSV0c0deb00 apache2 2502 apache mem DEL 0,6 0 /SYSV0c0deb00 apache2 8538 root mem DEL 0,6 0 /SYSV0c0deb00 apache2 8798 apache mem DEL 0,6 0 /SYSV0c0deb00 apache2 27796 apache mem DEL 0,6 0 /SYSV0c0deb00 apache2 27797 apache mem DEL 0,6 0 /SYSV0c0deb00 apache2 28306 apache mem DEL 0,6 0 /SYSV0c0deb00 G I'll try to nessus the machine remotely, and see if something boils up from it...
Re: doing an ssh into a compromised host
also sprach Dariush Pietrzak <[EMAIL PROTECTED]> [2004.11.02.0947 +0100]: > > If you forward your agent (-A, or ForwardAgent yes), then the > > attacker now probably has access to all machines where the SSH key > > you used has access. > Is this indeed true? I was under an impression that ForwardAgent works more > in challenge-response fashion? Nope. It is true. Copy the appropriate /tmp/ssh* directory, chown it, set SSH_AUTH_SOCKET appropriately, and ssh away. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: doing an ssh into a compromised host
> Nope. It is true. Copy the appropriate /tmp/ssh* directory, chown > it, set SSH_AUTH_SOCKET appropriately, and ssh away. hmm, but in /tmp/ssh* there's just a socket... so when agent is gone, what good is that file? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
On Tue, 02 Nov 2004, martin f krafft wrote: > If you forward your agent (-A, or ForwardAgent yes), then the > attacker now probably has access to all machines where the SSH key > you used has access. This goes agaist what I know about the agent. The attacker could *try* to access the agent when it was active (and if you are as paranoid as you should, you're using an agent that ASKS before doing any work). It should not be possible to retrieve key material from the agent, ever. And the whole setup should not be vulnerable to replay attacks when using protocol 2 either. Are you *completely* sure of what you are talking about? -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
also sprach Dariush Pietrzak <[EMAIL PROTECTED]> [2004.11.02.1053 +0100]: > hmm, but in /tmp/ssh* there's just a socket... so when agent is gone, what > good is that file? Fine, so the other hosts are only accessible while you are logged in. Should be enough to hijack them... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: doing an ssh into a compromised host
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.11.02.1314 +0100]: > It should not be possible to retrieve key material from the agent, > ever. And the whole setup should not be vulnerable to replay > attacks when using protocol 2 either. > > Are you *completely* sure of what you are talking about? Yes, although I was not clear: having access to /tmp/ssh* means that you can access all hosts that trust the key used to login to the current host for the duration of the current session. Since only authentication has to be during the current session, an attacker could gain access to other hosts and idle there for as long as the network stays up. Access to key material and replay attacks are not possible. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: doing an ssh into a compromised host
On Tue, Nov 02, 2004 at 10:14:37AM -0200, Henrique de Moraes Holschuh wrote: > (and if you are as paranoid as you > should, you're using an agent that ASKS before doing any work). Do you have such a thing? I would absolutely love an ssh agent that only asks for pass-phrases as needed, times them out eventually, and can prompt before answering a challenge. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
On 03/11/2004, Andrew Pimlott wrote: > Do you have such a thing? I would absolutely love an ssh agent that > only asks for pass-phrases as needed, times them out eventually, and > can prompt before answering a challenge. quintuple-agent does something like this. Not sure if it supports ssh or not - its really for gpg and such. Looks like you could write a wrapper script so that it supported ssh though. Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
On Wed, Nov 03, 2004 at 10:17:22AM +, Marcus Williams wrote: > On 03/11/2004, Andrew Pimlott wrote: > > Do you have such a thing? I would absolutely love an ssh agent that > > only asks for pass-phrases as needed, times them out eventually, and > > can prompt before answering a challenge. > > quintuple-agent does something like this. Not sure if it supports ssh > or not - its really for gpg and such. Looks like you could write a > wrapper script so that it supported ssh though. Thanks for the idea. However, ssh-agent has to speak the ssh-agent challenge-response protocol, and provides no way to call out to another program for pass-phrases. So hooking it up to quintuple-agent would require some work, I believe. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
> Thanks for the idea. However, ssh-agent has to speak the ssh-agent > challenge-response protocol, and provides no way to call out to another > program for pass-phrases. So hooking it up to quintuple-agent would > require some work, I believe. it would be easier to hack ssh-agent to pop up a message 'host sth requested auth .. grant yes/no?' (although hack would be easy, doing this correctly may require some work) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
