From owner-freebsd-questions Mon Nov 5 1:37: 2 2001 Delivered-To: freebsd-questions@freebsd.org Received: from whiskey.klatsch.org (whiskey.klatsch.org [209.6.82.6]) by hub.freebsd.org (Postfix) with SMTP id DFF0F37B416 for ; Mon, 5 Nov 2001 01:36:50 -0800 (PST) Received: (qmail 94261 invoked by uid 1001); 5 Nov 2001 09:36:14 -0000 Date: Mon, 5 Nov 2001 04:36:13 -0500 From: Ben Eisenbraun To: "Gary W. Swearingen" Cc: questions@FreeBSD.ORG Subject: Re: Lockdown of FreeBSD machine directly on Net Message-ID: <20011105043613.A90073@klatsch.org> References: <15330.23714.263323.466739@guru.mired.org> <00b501c1637b$1cd2f880$0a00000a@atkielski.com> <20011102095554.A38169@student.uu.se> <00d801c1637c$d3264640$0a00000a@atkielski.com> <20011102055416.B67495@klatsch.org> <8s668sdck9.68s@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <8s668sdck9.68s@localhost.localdomain>; from swear@blarg.net on Fri, Nov 02, 2001 at 02:37:26PM -0800 X-Disclaimer: I'm the only one foolish enough to claim these opinions. Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 02, 2001 at 02:37:26PM -0800, Gary W. Swearingen wrote: > Ben Eisenbraun writes: > > > change that to yes, HUP sshd, and it will allow root to login directly > > via ssh. > > > > NOT RECOMMENDED. > > I'd like to why. (Apologies for the late reply) I sat down and came up with a few reasons I didn't feel this was a good idea, but none of them were particularly persuasive given a few changes to the proposed usage and one caveat, so I hit Google looking to find some real basis for the vague sense of unease I felt about allowing direct root logins via ssh. Much of the interesting discussion I found about this issue came from a 65+ email thread on tech-security@netbsd.org from Aug - Sept of this year when they changed PermitRootLogin from yes to no in their default config. There were also several discussions regarding this on OpenBSD's mailing list and some of the ssh lists. The conclusion I came to after a few hours of reading is that ssh logins as a regular user who then uses 'su' don't really increase security over direct root logins with an ssh key. ssh v1 and v2 (and indeed almost any encrypted protocol that transmits typed data) appear to be susceptible to timing attacks that would allow an attacker to both determine when a password is being transmitted and significantly reduce the computational cost of cracking that password. Also it's not difficult to determine when a user uses 'su' 'sudo' or enters a PGP passphrase (anything that's typed but not echoed leaves a fairly distinct packet trail). ssh v1 also transmits the password length during the initial authentication. ssh v2 doesn't have this weakness. xref: http://paris.cs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf The NetBSD thread starts here: http://mail-index.netbsd.org/tech-security/2001/08/ Here are the reasons that I initially came up with against allowing direct root logins via ssh: setting 'PermitRootLogin' to 'yes' opens you up to a brute-force password attack against the root account, FreeBSD doesn't log ssh authentication failures by default, FreeBSD also defaults to using ssh v1, which has been shown to be susceptible to MITM attacks and there's no audit trail of who-did-what in a multi-admin environment (something which 'su' only partially provides). That said, and taken in light of the additional info I've read, there's no real harm in allowing direct root logins provided you set PermitRootLogin to without-password and use ssh keys, change sshd's logging facility or start logging auth.*, switch to ssh v2 and are working in a single admin environment where the need for accountability is lowered (ie, if you didn't log in as root and make that change, it must have been a bad guy). I think that's the stickler for me; in a multi-admin environment, the audit trail provided by sudo (which is what we use) is a big plus. 'sudo' also gives us a few options for tightening the screws, ie, you can restrict the $PATH so that you can't use it to run programs in a user's ~/bin and the like that 'su' lacks. As another data point, OpenSSH defaults to PermitRootLogin as 'yes', so whomever integrated the software into FreeBSD changed that. You can draw from that whatever conclusion you like. > I'd think that if you can't trust ssh you might > as well give up. As a general rule, I try to trust as little as possible. How long will it be before some bright hacker discovers the next flaw in the ssh protocol implementation? > IF we assume ssh is secure, isn't it as safe to login as root via ssh as > at the system console? That's a big assumption. Any time you're transmitting sensitive data over a network, you're opening yourself up to attack. In general, I'd think it's much harder to sniff data between the keyboard and the PS/2 port. (Although with a wireless, IR keyboard...) In any case, thanks for the question, Gary. It's always good to be asked to examine my assumptions. (Especially when they're only partially right! :-) -ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message