Re: [suse-security] more on SSH
Draven Loving <greddy@gte.net> wrote:
2. If i do decide to use the SSH source ...there's an option on the ./configure --disable-suid-ssh ..is this practical and does it have any security implications?
If you are paranoid (e.g., if you suspect exploitable bugs in ssh) you might consider it more secure not to have ssh suid-root. OTOH this makes it impossible for the ssh client (when used by a normal user) to bind to a priviledged port and to use the private hostkey for authentication, so any host based authentication (RhostsAuthentication and RhostsRSAAuthentication) will not work. I.e., not installing the ssh client suid-root will restrict you to RSAAuthentication (per user RSA-Keys) or PasswordAuthentication when logging in to a remote host. Eilert -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Eilert Brinkmann -- Universitaet Bremen -- FB 3, Informatik eilert@informatik.uni-bremen.de - eilert@tzi.org - eilert@linuxfreak.com http://www.informatik.uni-bremen.de/~eilert/
Draven Loving <greddy@gte.net> wrote:
2. If i do decide to use the SSH source ...there's an option on the ./configure --disable-suid-ssh ..is this practical and does it have any security implications?
If you are paranoid (e.g., if you suspect exploitable bugs in ssh) you might consider it more secure not to have ssh suid-root. OTOH this makes it impossible for the ssh client (when used by a normal user) to bind to a priviledged port and to use the private hostkey for authentication, so any host based authentication (RhostsAuthentication and RhostsRSAAuthentication) will not work. I.e., not installing the ssh client suid-root will restrict you to RSAAuthentication (per user RSA-Keys) or PasswordAuthentication when logging in to a remote host.
Small addition: Secure shell knows several authentication schemes: RSAAuthentication public-private-key authentification, works with .ssh/authorized_keys on the remote side and does not need suid root/privileged ports. RhostsRSAAuthentication A mix btw RhostsAuthentication and RSAAuthentication where hosts must prove their identity. This makes man-in-the-middle-attacks more difficult and unlikely. RhostsAuthentication Remote authentification is only done because of the following assumptions (by the server): 1) The connection comes from a port < 1024. Therefore, the client program is suid root or root himself called the binary. 2) If 1) is true, the server trusts the client's claims about the user identity on the client side. The port < 1024 guarantees that the binary used is the one in the system's bin directories, because it's suid root. Here is the biggest problem: Why should the server trust information from the client in the first place? Note that this is not the case with RSAAuthentication because the client must prove identity credentials by answering a (cryptographic) challenge. PasswordAuthentication Well, yes.
Eilert
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
participants (2)
-
Eilert Brinkmann -
Roman Drahtmueller