(mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak...
Transcript of (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak...
![Page 1: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/1.jpg)
(mis)Trusting and (ab)Using SSHTips and Tricks for Pentesters and Sysadmins
Herman Duarte <[email protected]>Bruno Morisson <[email protected]>
1Monday, July 2, 12
![Page 2: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/2.jpg)
About usBruno Morisson<[email protected]>http://genhex.org/~mori/
I do security stuff @ INTEGRITY S.A.
@morissonhttp://www.linkedin.com/in/morisson
Herman Duarte<[email protected]>
InfoSEC addict @ INTEGRITY S.A.
@hdontwithttp://www.linkedin.com/in/hcoduarte
2Monday, July 2, 12
![Page 3: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/3.jpg)
In the beginning of times...
Telnet
r* services (rlogin, rsh)
Weak (or no) authentication
Communication in clear
3Monday, July 2, 12
![Page 4: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/4.jpg)
In the beginning of times...
Sniffing
Interception
Hijacking
Man-In-The-Middle
...
4Monday, July 2, 12
![Page 5: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/5.jpg)
Enter the Dragon^WSSH
5Monday, July 2, 12
![Page 6: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/6.jpg)
Key agreement (DH)
Encrypted communications (C&I from CIA)
Multiple authentication options (password, public keys, kerberos, etc...)
Channel Multiplexing
Port Forwarding
VPN
...and so much more!
SSH* features
* for this talk SSH==SSHv26Monday, July 2, 12
![Page 7: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/7.jpg)
7Monday, July 2, 12
![Page 8: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/8.jpg)
SSH 101- The Basics
Key Agreement (DH), Host auth, Integrity, Encryption, Re-Keying
User Authentication (password, Pubkey, etc)
Session Multiplexing, TCP forwarding, socket forwarding, sftp subsystem, etcConnection
User Auth
Transport
TCP
IP
SSH
8Monday, July 2, 12
![Page 9: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/9.jpg)
SSH 101- The Basics
Client Server
Encrypted Channel Setup
User Authentication
Connection
9Monday, July 2, 12
![Page 10: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/10.jpg)
SSH 101- The BasicsUser authentication methods:
GSSAPI
Host-Based
Public Key
Challenge-Response
Password
10Monday, July 2, 12
![Page 11: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/11.jpg)
Password Authentication
Encrypted Channel Setup
username, use password
OK
Password
Auth Ok / NOk
Client
ssh
Server
sshd passwd file
11Monday, July 2, 12
![Page 12: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/12.jpg)
If the server is compromised...
sshd binary is changed with one that logs passwords
keylogger is installed on the server
..the password is compromised!
12Monday, July 2, 12
![Page 13: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/13.jpg)
PublicKey Authentication
Encrypted Channel Setup
username, use publickey
OK
Signature
Auth Ok / NOk
Client
id_dsa ssh
Server
sshd authorized_keys
13Monday, July 2, 12
![Page 14: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/14.jpg)
DEMO
14Monday, July 2, 12
![Page 15: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/15.jpg)
What if I have a lot of keys, or login a lot ??
15Monday, July 2, 12
![Page 16: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/16.jpg)
SSH AgentEncrypted Channel Setup
username, use publickey
OK
Signature
Auth Ok / NOk
Server
sshd
authorized_keys
Client
Agent
id_dsa
ssh
16Monday, July 2, 12
![Page 17: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/17.jpg)
What if I SSH into other servers ??
17Monday, July 2, 12
![Page 18: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/18.jpg)
SSH Agent Forwarding
No need to copy private key to other servers
Key is kept on the original source host
Agent is forwarded, using a tunnel
Passwordless!
18Monday, July 2, 12
![Page 19: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/19.jpg)
Client
Agent
id_dsa
Server #1
sshd
authorized_keys
Server #2
sshd
authorized_keys
SSH Agent ForwardingTransport
Connection
Interactive Shell
Agent Forwarding
Transport
Connection
Interactive Shell
ssh ssh
19Monday, July 2, 12
![Page 20: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/20.jpg)
Control Master
Connection multiplexing allows for multiple sessions on one connection
It’s fast
No need for extra authentication
20Monday, July 2, 12
![Page 21: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/21.jpg)
DEMO
21Monday, July 2, 12
![Page 22: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/22.jpg)
Caveat Emptor(s)
You must trust the server(s)
What if the server was compromised ?
Can SSH Agent be abused ?
Can Control Master be abused ?
22Monday, July 2, 12
![Page 23: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/23.jpg)
DEMO
23Monday, July 2, 12
![Page 24: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/24.jpg)
Help us Obi Wan
You’re our only hope!24Monday, July 2, 12
![Page 25: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/25.jpg)
Freak on a Leash
When adding keys to ssh-agent use ssh-add with:
-t <secs> to set a maximum lifetime on the identities being added to the agent
-c to indicate that identities being added should be subject to confirmation before being used for auth
25Monday, July 2, 12
![Page 26: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/26.jpg)
ssh-agent queries /usr/libexec/ssh-askpass for confirmation
“ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase
Freak on a Leash
26Monday, July 2, 12
![Page 27: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/27.jpg)
DEMO
27Monday, July 2, 12
![Page 28: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/28.jpg)
But we still need passwords!
If you su / sudo, you still type your password...
What if we could use the SSH Agent for sudo ?
Yes we can! :)
28Monday, July 2, 12
![Page 29: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/29.jpg)
DEMO
29Monday, July 2, 12
![Page 30: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/30.jpg)
Paranoia is reality on a finer scale
30Monday, July 2, 12
![Page 31: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/31.jpg)
31Monday, July 2, 12
![Page 32: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/32.jpg)
Using SSH w/o using SSH(but still using SSH)
ssh -W trusted:22 untrusted
Open socket to trusted Server...
...through an untrusted Server
32Monday, July 2, 12
![Page 33: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/33.jpg)
ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted
Open Socket to trusted via untrusted
Disable Agent Forwarding
Connect to the socket created
Just for user and key validation
Using SSH w/o using SSH(but still using SSH)
33Monday, July 2, 12
![Page 34: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/34.jpg)
Untrusted
sshd
authorized_keys
Owned
sshd
authorized_keys
Trusted
sshd
authorized_keys
Client
Agent
id_dsa
Transport
Connection
-W (Open Socket to Server #2)Transport
ssh
Connection
Interactive Shell
Using SSH w/o using SSH(but still using SSH)
34Monday, July 2, 12
![Page 35: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/35.jpg)
DEMO
35Monday, July 2, 12
![Page 36: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/36.jpg)
Control your SSH
.ssh/config
Host trusted1 trusted2 trusted3ForwardAgent yesProxyCommand ssh -a -W %h:22 untrusted.server.com
Host *ControlMaster noForwardAgent noPasswordAuthentication noHashKnownHosts yes
36Monday, July 2, 12
![Page 37: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/37.jpg)
Live long and prosper
37Monday, July 2, 12
![Page 38: (mis)Trusting and (ab)Using SSH - Root Merepository.root-me.org/Administration/Unix/EN... · Freak on a Leash When adding keys to ssh-agent use ssh-add with:-t to set](https://reader030.fdocuments.in/reader030/viewer/2022040812/5e55f7157bf2fa2bd1642fb9/html5/thumbnails/38.jpg)
ReferencesRTFM :)
RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,5656
http://www.linuxjournal.com/article/9566
http://pamsshagentauth.sourceforge.net/
http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-and-beyond/
38Monday, July 2, 12