On Wed, 5 Sep 2001, Curt Sampson wrote:

> On Mon, 3 Sep 2001, Bill Studenmund wrote:
>
> > If you can't
> > trust your admins enough that you are not comfortable with them being able
> > to directly log in as root rather than having them login as him/herself
> > and then su, why did you give them the root password in the first place?
>
> Whoops! Another straw man!

Depends on what you're defending against. If you were focusing on having a
log of who became root, then it is a valid arguement (and some folks in
this thread are). If you were focusing on something else, then yes, it
doesn't matter.

> 1. This security measure is intended as a defense aginst people I've
> NOT given the password to.

Ahhh... Ok. But how much of a defense is it? _HOW_ is it a defense?

> 2. There are, anyway, conceivable circumstances where I didn't trust
> them that much but had to give them the root password anyway, but I'm
> not going to bother arguging that point.

I've done enough admin work to understand that point! No disagreement
there. :-)

> > As for the, "it's now two passwords to crack," arguement, I don't think
> > that buys you much. Theo, in private communications, pointed out a paper
> > presented at usenix (that I admit I haven't read) which idicates that you
> > can snoop ssh trafic and see when someone is doing an su, and how long a
> > password s/he typed. So if you're in the cracking mood, you find who does
> > sus, attack such a person's account, and install a snooper.
>
> Right. And this is just as easy as "ssh foo" followed by typing the
> password? No, I don't think so.

What does that mean?

Please read the paper. It's at
http://paris.cs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf Logging into
a box and then doing an su is readily noticable by a passive packet
sniffer. Passivly watching the exchange, the snooper can get enough info
to reduce the difficulty of brute-force hacking by a factor of 50. That's
almost two orders of magnitude.

> For every single security measure out there, there's an attack that
> can get around it. That doesn't mean that we should abandon all of our
> security measures.

I agree with you in principle. Security measures are about deciding how
much effort do you want the attacker to have to make, compare that with
how useful the machine would then be, and make a tradeoff. I think the
thrust of this thread is that we disagree as to whether or not this change
is a net win or loss in the tradeoff.

Reading the paper has changed my mind on some things in this thread.
Before I thought that either we were disagreeing about consistency about
security (before you could only login from a "secure" console and if we
consider ssh logins secure, then you were, but if we don't consider ssh
logins "secure" you weren't) and su logging (you have to get to root via
su, which as an _absolute_ rule I find annoying) and consistency w/ ssh
before it was integrated and ssh on onther systems (which default to root
logins ok).

This paper, though, shows that doing an su over an ssh connection leaks a
lot of information about the su'ing password. That snooper learns both the
exact password length, and info about the letters of the password. With
direct root logins, the only thing which gets leaked is if the password
has eight characters or not. No info about the passwords characters is
released - they are all sent as one block of info. Thus this change makes
more info about the root password available than before. That looks like a
step backwards in security...

> > I guess part of my concern is that, as reflected in my thoughts above,
> > this change doesn't really make things more secure.
>
> It does, in that you've just pointed out how much harder it is to do an
> attack that gets you root with this measure in place.

But is it really that much harder? Yes, I described a tool which would be
needed. But that tool is the kind of thing which script kitty kit makers
can certainly include in their kits. It doesn't strike me as a terribly
difficult thing to make. Also, from reading the paper, with watching an
su, you really don't need the snooping program. herbivore, a program from
the paper, can do it.

> Again, much more work. So this measure is still protecting me against
> someone unsophisticated who has my root password but nothing else.

How likely is this scenario? How would such a person get the root password
and nothing else? Other than say using an herbivore-type program and
watching an su? :-)

If there are lots of ways for this to happen, then yes, we need this
change. But I really don't see how this case is likely.

Take care,

Bill