[27098] in bugtraq
Re: OpenSSH 3.4p1 Privsep
daemon@ATHENA.MIT.EDU (Artem Chuprina)
Wed Sep 18 19:27:27 2002
Date: Wed, 18 Sep 2002 01:00:32 +0400
From: Artem Chuprina <bugtraq@ran.pp.ru>
To: bugtraq@securityfocus.com
Message-ID: <20020917210032.GA17427@home.ran.pp.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <Pine.SOL.4.33.0209161729000.21511-100000@magnet.weirdness.net>
On 2002.09.16 at 17:48:42 -0400, Andrew Danforth wrote:
> During authentication, OpenSSH 3.4p1 with privsep enabled passes the
> cleartext password from the main process to the privsep child using a
> pipe. Using strace or truss, root can see the user's plaintext password
> flying by. I observed this behavior from OpenSSH 3.4p1 built using GCC on
> Solaris 2.8 and the current Debian OpenSSH 3.4p1 package.
>
> Theo and Markus tell me that this is not an issue. Theo says that you
> cannot prevent root from determining a user's password. I don't disagree,
> but asked why OpenBSD bothers to encrypt user passwords at all if that is
> his attitude.
Because these passwords are stored. That is, if /etc/shadow is stealed by
malicious user because of administrator's mistake, it is a challenge for that
user to get passwords from their encrypted state. This is not an issue for
temporary objects, that's why pipes are considered secure.
> The level of effort to determine cleartext passwords, for even the most
> inexperienced Unix administrator, is almost zero given the above. I
> realize that no matter how you slice it, it will be possible for root to
> grab the password from wherever it's stored in memory. Or recompile sshd
> to log the password, or any number of other ways. However, the methods I
> just mentioned all require someone with significantly more know how than:
>
> truss -fp `cat /var/run/sshd.pid`
It is also trivial to read process' memory and so on.
--
Artem Chuprina <ran@ran.pp.ru>
FIDO: 2:5020/122.256
