(mis)trusting and (ab)using ssh - root merepository.root-me.org/administration/unix/en... · freak...

(mis)Trusting and (ab)Using SSHTips and Tricks for Pentesters and Sysadmins

Herman Duarte <hcoduarte@gmail.com>Bruno Morisson <morisson@genhex.org>

1Monday, July 2, 12

About usBruno Morisson<morisson@genhex.org>http://genhex.org/~mori/

I do security stuff @ INTEGRITY S.A.

@morissonhttp://www.linkedin.com/in/morisson

Herman Duarte<hcoduarte@gmail.com>

InfoSEC addict @ INTEGRITY S.A.

@hdontwithttp://www.linkedin.com/in/hcoduarte

2Monday, July 2, 12

In the beginning of times...

Telnet

r* services (rlogin, rsh)

Weak (or no) authentication

Communication in clear

3Monday, July 2, 12

In the beginning of times...

Sniffing

Interception

Hijacking

Man-In-The-Middle

...

4Monday, July 2, 12

Enter the Dragon^WSSH

5Monday, July 2, 12

Key agreement (DH)

Encrypted communications (C&I from CIA)

Multiple authentication options (password, public keys, kerberos, etc...)

Channel Multiplexing

Port Forwarding

VPN

...and so much more!

SSH* features

* for this talk SSH==SSHv26Monday, July 2, 12

7Monday, July 2, 12

SSH 101- The Basics

Key Agreement (DH), Host auth, Integrity, Encryption, Re-Keying

User Authentication (password, Pubkey, etc)

Session Multiplexing, TCP forwarding, socket forwarding, sftp subsystem, etcConnection

User Auth

Transport

TCP

IP

SSH

8Monday, July 2, 12

SSH 101- The Basics

Client Server

Encrypted Channel Setup

User Authentication

Connection

9Monday, July 2, 12

SSH 101- The BasicsUser authentication methods:

GSSAPI

Host-Based

Public Key

Challenge-Response

Password

10Monday, July 2, 12

Password Authentication

Encrypted Channel Setup

username, use password

OK

Password

Auth Ok / NOk

Client

ssh

Server

sshd passwd file

11Monday, July 2, 12

If the server is compromised...

sshd binary is changed with one that logs passwords

keylogger is installed on the server

..the password is compromised!

12Monday, July 2, 12

PublicKey Authentication

Encrypted Channel Setup

username, use publickey

OK

Signature

Auth Ok / NOk

Client

id_dsa ssh

Server

sshd authorized_keys

13Monday, July 2, 12

DEMO

14Monday, July 2, 12

What if I have a lot of keys, or login a lot ??

15Monday, July 2, 12

SSH AgentEncrypted Channel Setup

username, use publickey

OK

Signature

Auth Ok / NOk

Server

sshd

authorized_keys

Client

Agent

id_dsa

ssh

16Monday, July 2, 12

What if I SSH into other servers ??

17Monday, July 2, 12

SSH Agent Forwarding

No need to copy private key to other servers

Key is kept on the original source host

Agent is forwarded, using a tunnel

Passwordless!

18Monday, July 2, 12

Client

Agent

id_dsa

Server #1

sshd

authorized_keys

Server #2

sshd

authorized_keys

SSH Agent ForwardingTransport

Connection

Interactive Shell

Agent Forwarding

Transport

Connection

Interactive Shell

ssh ssh

19Monday, July 2, 12

Control Master

Connection multiplexing allows for multiple sessions on one connection

It’s fast

No need for extra authentication

20Monday, July 2, 12

DEMO

21Monday, July 2, 12

Caveat Emptor(s)

You must trust the server(s)

What if the server was compromised ?

Can SSH Agent be abused ?

Can Control Master be abused ?

22Monday, July 2, 12

DEMO

23Monday, July 2, 12

Help us Obi Wan

You’re our only hope!24Monday, July 2, 12

Freak on a Leash

When adding keys to ssh-agent use ssh-add with:

-t <secs> to set a maximum lifetime on the identities being added to the agent

-c to indicate that identities being added should be subject to confirmation before being used for auth

25Monday, July 2, 12

ssh-agent queries /usr/libexec/ssh-askpass for confirmation

“ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase

Freak on a Leash

26Monday, July 2, 12

DEMO

27Monday, July 2, 12

But we still need passwords!

If you su / sudo, you still type your password...

What if we could use the SSH Agent for sudo ?

Yes we can! :)

28Monday, July 2, 12

DEMO

29Monday, July 2, 12

Paranoia is reality on a finer scale

30Monday, July 2, 12

31Monday, July 2, 12

Using SSH w/o using SSH(but still using SSH)

ssh -W trusted:22 untrusted

Open socket to trusted Server...

...through an untrusted Server

32Monday, July 2, 12

ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted

Open Socket to trusted via untrusted

Disable Agent Forwarding

Connect to the socket created

Just for user and key validation

Using SSH w/o using SSH(but still using SSH)

33Monday, July 2, 12

Untrusted

sshd

authorized_keys

Owned

sshd

authorized_keys

Trusted

sshd

authorized_keys

Client

Agent

id_dsa

Transport

Connection

-W (Open Socket to Server #2)Transport

ssh

Connection

Interactive Shell

Using SSH w/o using SSH(but still using SSH)

34Monday, July 2, 12

DEMO

35Monday, July 2, 12

Control your SSH

.ssh/config

Host trusted1 trusted2 trusted3ForwardAgent yesProxyCommand ssh -a -W %h:22 untrusted.server.com

Host *ControlMaster noForwardAgent noPasswordAuthentication noHashKnownHosts yes

36Monday, July 2, 12

Live long and prosper

37Monday, July 2, 12

ReferencesRTFM :)

RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,5656

http://www.linuxjournal.com/article/9566

http://pamsshagentauth.sourceforge.net/

http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-and-beyond/

38Monday, July 2, 12