(mis)Trusting and (ab)Using SSH - Extended Version
-
Upload
morisson -
Category
Technology
-
view
278 -
download
2
description
Transcript of (mis)Trusting and (ab)Using SSH - Extended Version
![Page 1: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/1.jpg)
INTEGRITY
(mis)Trusting and (ab)Using SSHTips and Tricks for Pentesters and Sysadmins
Herman Duarte <[email protected]>Bruno Morisson <[email protected]>
![Page 2: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/2.jpg)
INTEGRITY
About usBruno Morisson<[email protected]>
Consultant and Partner @ INTEGRITY Leading Consulting and Penetration Testing engagementsBreaking things, and finding how to fix themCISSP-ISSMP, CISA, ISO27001LACurrently doing the MSc in Information Security @ Royal Holloway, University of London.
Herman Duarte<[email protected]>
Consultant @ INTEGRITYPenetration testing engagementsBSc in Information Systems and Computer EngineeringCISSP Associate / ISO27001LA / CCNA
@morissonhttp://www.linkedin.com/in/morisson
@hdontwithttp://www.linkedin.com/in/hcoduarte
![Page 3: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/3.jpg)
INTEGRITY
Security Competition Winner
![Page 4: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/4.jpg)
INTEGRITY
Show common pitfalls when using SSH
Understand how you can use SSH more securely
Understand what you cannot assure when using SSH
Objectives
![Page 5: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/5.jpg)
INTEGRITY
Key agreement (DH)
Encrypted communications (C&I from CIA)
Multiple authentication options (password, public keys, kerberos, etc...)
Channel Multiplexing
Port Forwarding
VPN
...and so much more!
SSH* features
* for this talk SSH==SSHv2INTEGRITY
![Page 6: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/6.jpg)
INTEGRITY
SSH 101- The Basics
Key Agreement (DH), Host auth, Integrity, Encryption, Re-Keying
User Authentication (password, Pubkey, etc)
Session Multiplexing, TCP forwarding, socket forwarding, sftp subsystem, etcConnection
User Auth
Transport
TCP
IP
SSH
![Page 7: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/7.jpg)
INTEGRITY
SSH 101- The Basics
Client Server
Encrypted Channel Setup
User Authentication
Connection
![Page 8: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/8.jpg)
INTEGRITY
SSH 101- The BasicsUser authentication methods:
GSSAPI
Host-Based
Public Key
Challenge-Response
Password
![Page 9: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/9.jpg)
INTEGRITY
Password Authentication
Encrypted Channel Setup
username, use password
OK
Password
Auth Ok / NOk
Client
ssh
Server
sshd passwd file
![Page 10: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/10.jpg)
INTEGRITY
If the server is compromised...
sshd binary is changed with one that logs passwords
keylogger is installed on the server
..the password is compromised!
![Page 11: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/11.jpg)
INTEGRITY
PublicKey Authentication
Encrypted Channel Setup
username, use publickey
OK
Signature
Auth Ok / NOk
Client
id_dsa ssh
Server
sshd authorized_keys
![Page 12: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/12.jpg)
INTEGRITY
DEMO
![Page 13: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/13.jpg)
INTEGRITY
![Page 14: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/14.jpg)
INTEGRITY
What if I have a lot of servers, or login a lot ??
![Page 15: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/15.jpg)
INTEGRITY
Control Master
Connection multiplexing allows for multiple sessions on one connection
It’s fast
No need for extra authentication
![Page 16: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/16.jpg)
INTEGRITY
DEMO
![Page 17: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/17.jpg)
INTEGRITY
![Page 18: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/18.jpg)
INTEGRITY
SSH AgentEncrypted Channel Setup
username, use publickey
OK
Signature
Auth Ok / NOk
Server
sshd
authorized_keys
Client
Agent
id_dsa
ssh
![Page 19: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/19.jpg)
INTEGRITY
DEMO
![Page 20: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/20.jpg)
INTEGRITY
![Page 21: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/21.jpg)
INTEGRITY
![Page 22: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/22.jpg)
INTEGRITY
What if I manage a lot of servers ?
![Page 23: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/23.jpg)
INTEGRITY
Typical setup
SSH
SSH
SSH
Options:Use passwords ?Copy private key to host ?
![Page 24: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/24.jpg)
INTEGRITY
Multiplexing / Forwarding
Client Server
Transport
Connection
Interactive Shell
Interactive Shell #2
127.0.0.1:1234 www.google.com:80
TCP Port Forward
www.google.com:80 127.0.0.1:80ssh -L 1234:www.google.com:80
ssh -R 80:www.google.com:80
![Page 25: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/25.jpg)
INTEGRITY
SSH Agent Forwarding
No need to copy private key to other servers
Key is kept on the original source host
Agent is forwarded, using a tunnel
Passwordless!
![Page 26: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/26.jpg)
INTEGRITY
Client
Agent
id_dsa
Server #1
sshd
authorized_keys
Server #2
sshd
authorized_keys
SSH Agent ForwardingTransport
Connection
Interactive Shell
Agent Forwarding
Transport
Connection
Interactive Shell
ssh ssh
![Page 27: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/27.jpg)
INTEGRITY
DEMO
![Page 28: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/28.jpg)
INTEGRITY
![Page 29: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/29.jpg)
INTEGRITY
Caveat Emptor(s)
You must trust the server(s)
What if the server was compromised ?
Can SSH Agent be abused ?
Can Control Master be abused ?
![Page 30: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/30.jpg)
INTEGRITY
DEMO
![Page 31: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/31.jpg)
INTEGRITY
![Page 32: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/32.jpg)
INTEGRITY
![Page 33: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/33.jpg)
INTEGRITY
Help us Obi Wan
You’re our only hope!
![Page 34: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/34.jpg)
INTEGRITY
Freak on a Leash
When adding keys to ssh-agent use ssh-add with:
-t <secs> to set a maximum lifetime on the identities being added to the agent
-c to indicate that identities being added should be subject to confirmation before being used for auth
![Page 35: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/35.jpg)
INTEGRITY
ssh-agent queries /usr/libexec/ssh-askpass for confirmation
“ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphrase
Freak on a Leash
![Page 36: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/36.jpg)
INTEGRITY
DEMO
![Page 37: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/37.jpg)
INTEGRITY
![Page 38: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/38.jpg)
INTEGRITY
But we still need passwords!
If you su / sudo, you still type your password...
What if we could use the SSH Agent for sudo ?
Yes we can! :)
![Page 39: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/39.jpg)
INTEGRITY
DEMO
![Page 40: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/40.jpg)
INTEGRITY
![Page 41: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/41.jpg)
INTEGRITY
![Page 42: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/42.jpg)
INTEGRITY
Paranoia is reality on a finer scale
![Page 43: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/43.jpg)
INTEGRITY
What if...
we could SSH without using SSH ?
![Page 44: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/44.jpg)
INTEGRITY
Using SSH Gangnam Style
![Page 45: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/45.jpg)
INTEGRITY
Using SSH w/o using SSH(but still using SSH)
ssh -W trusted:22 untrusted
Open socket to trusted Server...
...through an untrusted Server
![Page 46: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/46.jpg)
INTEGRITY
ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted
Open Socket to trusted via untrusted
Disable Agent Forwarding
Connect to the socket created
Just for user and key validation
Using SSH w/o using SSH(but still using SSH)
![Page 47: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/47.jpg)
INTEGRITY
Untrusted
sshd
authorized_keys
Owned
sshd
authorized_keys
Trusted
sshd
authorized_keys
Client
Agent
id_dsa
Transport
Connection
-W (Open Socket to Server #2)Transport
ssh
Connection
Interactive Shell
Using SSH w/o using SSH(but still using SSH)
![Page 48: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/48.jpg)
INTEGRITY
DEMO
![Page 49: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/49.jpg)
INTEGRITY
![Page 50: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/50.jpg)
INTEGRITY
Control your SSH
.ssh/config
Host trusted1 trusted2 trusted3ForwardAgent yesProxyCommand ssh -a -W %h:22 untrusted.server.com
Host *ControlMaster noForwardAgent noPasswordAuthentication no
![Page 51: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/51.jpg)
INTEGRITY
Wrapping up
Don’t use passwords.When using publickey auth, control your private key.Be careful with multiplexing options (tunnels, CM, etc).Read the Fu^Hine Manual, before using exotic features.Create ~/.ssh/config file with a secure default configuration, and configure exceptions when needed.Don’t use passwords.
![Page 52: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/52.jpg)
INTEGRITY
Live long and prosper
![Page 53: (mis)Trusting and (ab)Using SSH - Extended Version](https://reader038.fdocuments.net/reader038/viewer/2022103117/5596f3831a28ab624b8b45f5/html5/thumbnails/53.jpg)
INTEGRITY
ReferencesRTFM :)
RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,5656
http://www.linuxjournal.com/article/9566
http://pamsshagentauth.sourceforge.net/
http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-and-beyond/
http://www.openbsd.org/papers/auug2002-ssh.pdf
http://pentestmonkey.net/cheat-sheet/ssh-cheat-sheet
http://www.hsc.fr/ressources/breves/passe-partout.html.en