Re: SSH / X11 auth: needless complexity -> security problems?

From: Dale Southard (southard1at_private)
Date: Thu Jun 07 2001 - 11:45:47 PDT

Next message: Andrew Gerweck: "RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"

Previous message: Kee Hinckley: "Re: SECURITY.NNOV: Outlook Express address book spoofing"
Next in thread: Casper Dik: "Re: SSH / X11 auth: needless complexity -> security problems?"
Next in thread: Jan Grant: "nosymfollow Re: SSH allows deletion of other users files..."
Reply: Casper Dik: "Re: SSH / X11 auth: needless complexity -> security problems?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter W <peterwat_private> writes:

> On Tue, Jun 05, 2001 at 07:36:24PM -0700, Dale Southard wrote:
> > Peter W <peterwat_private> writes:
> 
> > > Since the DISPLAY name changes, and an Xauthority file can
> > > hold multiple X cookie credentials, is there any good reason why OpenSSH
> > > need to make, and then, wipe out, a special xauthority file?
> 
> > When ~ lives in NFS/AFS/DFS filespace, ~/.Xauthority file will be
> > vulnerable to attack.  If successful, the attacker has illegitimate
> > control of the originating machine despite ssh's attempt to securely
> > forward the authentication material. 
> 
> So SSH is trying to work around security problems with network
> filesystems? A noble goal, but I'm afraid we have a real-world example
> here of the dangers of adding complexity to Program B to make up for
> Program A's deficiencies.

Absolutely.  I didn't mean to imply that it was a good idea, only to
explain how it got there in the first place.  The ``Xauthority in
tmp'' stuff was originally part of dugsong's AFS patches to ssh 1.2.x.
At some point he quit work on those patches and worked on openssh
(which is probably how we got to where we are, but I don't know that
for sure).

The road to hell is paved with good intentions.  Dugsong has done some
very good security work, but trying to make up for AFS/NFS and X11
weaknesses is a lot to bite off....

> Authentication: some network filesystems have rather weak authentication
> mechanisms. In these, it may be easy for an attacker to use the network
> filesystem itself to connect and read data in ~victim. But in these
> cases, an attacker also likely will have write privileges to ~victim,
> making it possible to put trojans in ~victim/.profile, rendering any sshd
> ~victim/.Xauthority workaround meaningless.

Still not the whole story.  AFS uses kerb4 for authentication, but the
filesystem authorization is controlled by directory ACLs.  For various
reasons, it's pretty common to give ``system:anyuser'' access to ~/
which means anyone,anywhere can read your Xauth cookies.

The problem isn't the authentication, it's the granularity of the
authorization that the filesystem affords.  NFS leaves authorization
up to the client host (aka ``No File Security'').  AFS provides
directory-level authorization, but users often use to to do silly
things.  DFS provides file-lelel ACLs, but no one seems to care
anymore...  :-|

-- 

/*  Dale Southard Jr.       southard1at_private        925-422-1463  */
/*  Computer Scientist, Accelerated Strategic Computing Initiative  */
/*  L-550,  Lawrence Livermore National Lab,  Livermore CA   94551  */
/*  AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving  */

Next message: Andrew Gerweck: "RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Previous message: Kee Hinckley: "Re: SECURITY.NNOV: Outlook Express address book spoofing"
Next in thread: Casper Dik: "Re: SSH / X11 auth: needless complexity -> security problems?"
Next in thread: Jan Grant: "nosymfollow Re: SSH allows deletion of other users files..."
Reply: Casper Dik: "Re: SSH / X11 auth: needless complexity -> security problems?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 11:25:51 PDT