tech-security: Re: setuid ssh

Subject: Re: setuid ssh
To: None <sommerfeld@orchard.arlington.ma.us>
From: Luke Mewburn <lukem@cs.rmit.edu.au>
List: tech-security
Date: 10/19/2000 12:58:59
  by mail.netbsd.org with SMTP; 19 Oct 2000 02:01:25 -0000
	by wombat.cs.rmit.edu.au (8.9.3/8.9.3/cshub) with ESMTP id MAA09821;
	Thu, 19 Oct 2000 12:59:01 +1100 (EST)
Message-Id: <200010190159.MAA09821@wombat.cs.rmit.edu.au>
From: Luke Mewburn <lukem@cs.rmit.edu.au>
Reply-to: lukem@cs.rmit.edu.au
To: sommerfeld@orchard.arlington.ma.us
Cc: Andrew Brown <atatat@atatdot.net>, Atsushi Onoe <onoe@sm.sony.co.jp>,
        cjs@cynic.net, hubert.feyrer@informatik.fh-regensburg.de,
        tech-security@netbsd.org
Subject: Re: setuid ssh 
In-Reply-To: Your message of "Wed, 18 Oct 2000 10:16:25 -0400 "
	<20001018141630.AE17D2A2A@orchard.arlington.ma.us> 
Date: Thu, 19 Oct 2000 12:58:59 +1100

Bill Sommerfeld writes:
> > i believe they can, but am placing the difficulty level a little
> > higher than breaking into a machine via some other means and obtaining
> > root privs (so as to steal all the keys).
> 
> If an attacker gets root privs, "game over"... they can replace the
> kernel and change the rules of the game.

i think the difference is this:
	- with .shosts on the target machine, the target machine
	  controls who can access. you can prevent access by changing
	  ~/.shosts on the target machine (once).
	  to spoof, you need to have a copy of the private host key from a
	  source machine and spoof the ip address. this can be much harder
	  if you have reasonable router rules and people are attacking from
	  an `off site' machine

	- with a passphraseless key, someone can compromise any machine
	  with that key, and use that whenever they like until you
	  change that key on every host with that key, no matter where
	  they are.

sure, if they get root on the target machine you're stuffed in both
cases...

i have `more secure' machines having the ability to ssh as root
to `less secure' machines as root using ~root/.shosts, and
sshd.config options such as:
	IgnoreRootRhosts	no		# allow ~root/.shosts
	IgnoreRhosts		yes		# ignore ~/.shosts
	RhostsAuthentication	no
	RhostsRSAAuthentication	yes
	IgnoreUserKnownHosts	yes

does ssh actually *need* a privleged port if you're using
RhostsRSAAuthentication? what am i missing?