Your SlideShare is downloading. ×
(mis)Trusting and (ab)Using SSH          Tips and Tricks for Pentesters and Sysadmins                                Herma...
About us                     Bruno Morisson                        Herman Duarte                     <morisson@genhex.org>...
In the beginning of times...                Telnet                r* services (rlogin, rsh)                Weak (or no) au...
In the beginning of times...                Sniffing                Interception                Hijacking                Ma...
Enter the Dragon^WSSHMonday, July 2, 12                           5
SSH* features                Key agreement (DH)                Encrypted communications (C&I from CIA)                Mult...
Monday, July 2, 12   7
SSH 101- The Basics                                    Session Multiplexing, TCP forwarding,                     Connectio...
SSH 101- The Basics                              Encrypted Channel Setup                                User Authenticatio...
SSH 101- The Basics           User authentication methods:                GSSAPI                Host-Based                ...
Password Authentication                                Encrypted Channel Setup                     Client                 ...
If the server is compromised...                sshd binary is changed with one that logs passwords                keylogge...
PublicKey Authentication                                     Encrypted Channel Setup                          Client      ...
DEMOMonday, July 2, 12          14
What if I have a lot of keys, or login a lot ??Monday, July 2, 12                                           15
SSH Agent                                 Encrypted Channel Setup                      Client                             ...
What if I SSH into other servers ??Monday, July 2, 12                                    17
SSH Agent Forwarding                No need to copy private key to other servers                Key is kept on the origina...
SSH Agent Forwarding             Client           Transport                                                 Server #1     ...
Control Master                Connection multiplexing allows for multiple sessions on                one connection       ...
DEMOMonday, July 2, 12          21
Caveat Emptor(s)                You must trust the server(s)                What if the server was compromised ?          ...
DEMOMonday, July 2, 12          23
Help us Obi Wan                     You’re our only hope!Monday, July 2, 12                           24
Freak on a Leash              When adding keys to ssh-agent use ssh-add with:                     -t <secs> to set a maxim...
Freak on a Leash                     ssh-agent queries /usr/libexec/ssh-askpass for                     confirmation       ...
DEMOMonday, July 2, 12          27
But we still need passwords!                     If you su / sudo, you still type your password...                     Wha...
DEMOMonday, July 2, 12          29
Paranoia is reality on a finer scaleMonday, July 2, 12                              30
Monday, July 2, 12   31
Using SSH w/o using SSH                                      (but still using SSH)                     ssh -W trusted:22 u...
Using SSH w/o using SSH                                        (but still using SSH)                                      ...
Using SSH w/o using SSH                                     (but still using SSH)             Client        Transport     ...
DEMOMonday, July 2, 12          35
Control your SSH                .ssh/config                Host trusted1 trusted2 trusted3                ForwardAgent yes ...
Live long and prosperMonday, July 2, 12                           37
References                RTFM :)                RFCs                4251-4256,4335,4344,4345,4419,4432,4462,4716,56      ...
Upcoming SlideShare
Loading in...5
×

(Mis)trusting and (ab)using ssh

1,890

Published on

Presentation on Confraria de Segurança da Informação, about SSH.

2Jul2012

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,890
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "(Mis)trusting and (ab)using ssh"

  1. 1. (mis)Trusting and (ab)Using SSH Tips and Tricks for Pentesters and Sysadmins Herman Duarte <hcoduarte@gmail.com> Bruno Morisson <morisson@genhex.org>Monday, July 2, 12 1
  2. 2. About us Bruno Morisson Herman Duarte <morisson@genhex.org> <hcoduarte@gmail.com> http://genhex.org/~mori/ I do security stuff @ INTEGRITY S.A. InfoSEC addict @ INTEGRITY S.A. @morisson @hdontwit http://www.linkedin.com/in/morisson http://www.linkedin.com/in/hcoduarteMonday, July 2, 12 2
  3. 3. In the beginning of times... Telnet r* services (rlogin, rsh) Weak (or no) authentication Communication in clearMonday, July 2, 12 3
  4. 4. In the beginning of times... Sniffing Interception Hijacking Man-In-The-Middle ...Monday, July 2, 12 4
  5. 5. Enter the Dragon^WSSHMonday, July 2, 12 5
  6. 6. SSH* features Key agreement (DH) Encrypted communications (C&I from CIA) Multiple authentication options (password, public keys, kerberos, etc...) Channel Multiplexing Port Forwarding VPN ...and so much more! * for this talk SSH==SSHv2Monday, July 2, 12 6
  7. 7. Monday, July 2, 12 7
  8. 8. SSH 101- The Basics Session Multiplexing, TCP forwarding, Connection socket forwarding, sftp subsystem, etc SSH User Auth User Authentication (password, Pubkey, etc) Key Agreement (DH), Host auth, Integrity, Transport Encryption, Re-Keying TCP IPMonday, July 2, 12 8
  9. 9. SSH 101- The Basics Encrypted Channel Setup User Authentication Client Connection ServerMonday, July 2, 12 9
  10. 10. SSH 101- The Basics User authentication methods: GSSAPI Host-Based Public Key Challenge-Response PasswordMonday, July 2, 12 10
  11. 11. Password Authentication Encrypted Channel Setup Client Server username, use password OK Password Auth Ok / NOk passwd ssh sshd fileMonday, July 2, 12 11
  12. 12. If the server is compromised... sshd binary is changed with one that logs passwords keylogger is installed on the server ..the password is compromised!Monday, July 2, 12 12
  13. 13. PublicKey Authentication Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk authorized id_dsa ssh sshd _keysMonday, July 2, 12 13
  14. 14. DEMOMonday, July 2, 12 14
  15. 15. What if I have a lot of keys, or login a lot ??Monday, July 2, 12 15
  16. 16. SSH Agent Encrypted Channel Setup Client Server username, use publickey OK Signature Auth Ok / NOk Agent ssh sshd authorized id_dsa _keysMonday, July 2, 12 16
  17. 17. What if I SSH into other servers ??Monday, July 2, 12 17
  18. 18. SSH Agent Forwarding No need to copy private key to other servers Key is kept on the original source host Agent is forwarded, using a tunnel Passwordless!Monday, July 2, 12 18
  19. 19. SSH Agent Forwarding Client Transport Server #1 Transport Server #2 Connection Connection Interactive Shell Agent Forwarding Interactive Shell Agent ssh sshd ssh sshd authorized authorized id_dsa _keys _keysMonday, July 2, 12 19
  20. 20. Control Master Connection multiplexing allows for multiple sessions on one connection It’s fast No need for extra authenticationMonday, July 2, 12 20
  21. 21. DEMOMonday, July 2, 12 21
  22. 22. Caveat Emptor(s) You must trust the server(s) What if the server was compromised ? Can SSH Agent be abused ? Can Control Master be abused ?Monday, July 2, 12 22
  23. 23. DEMOMonday, July 2, 12 23
  24. 24. Help us Obi Wan You’re our only hope!Monday, July 2, 12 24
  25. 25. Freak on a Leash When adding keys to ssh-agent use ssh-add with: -t <secs> to set a maximum lifetime on the identities being added to the agent -c to indicate that identities being added should be subject to confirmation before being used for authMonday, July 2, 12 25
  26. 26. Freak on a Leash ssh-agent queries /usr/libexec/ssh-askpass for confirmation “ssh-add -c -t 3600 < /dev/null” makes ssh-add use env var SSH_ASKPASS to query for passphraseMonday, July 2, 12 26
  27. 27. DEMOMonday, July 2, 12 27
  28. 28. But we still need passwords! If you su / sudo, you still type your password... What if we could use the SSH Agent for sudo ? Yes we can! :)Monday, July 2, 12 28
  29. 29. DEMOMonday, July 2, 12 29
  30. 30. Paranoia is reality on a finer scaleMonday, July 2, 12 30
  31. 31. Monday, July 2, 12 31
  32. 32. Using SSH w/o using SSH (but still using SSH) ssh -W trusted:22 untrusted Open socket to trusted Server... ...through an untrusted ServerMonday, July 2, 12 32
  33. 33. Using SSH w/o using SSH (but still using SSH) Connect to the socket created ssh -o “ProxyCommand ssh -a -W trusted:22 untrusted” trusted Disable Agent Forwarding Open Socket to trusted via untrusted Just for user and key validationMonday, July 2, 12 33
  34. 34. Using SSH w/o using SSH (but still using SSH) Client Transport Untrusted Owned Trusted Connection -W (Open Socket to Server #2) Transport Connection Interactive Shell Agent ssh sshd sshd authorized authorized id_dsa _keys _keysMonday, July 2, 12 34
  35. 35. DEMOMonday, July 2, 12 35
  36. 36. Control your SSH .ssh/config Host trusted1 trusted2 trusted3 ForwardAgent yes ProxyCommand ssh -a -W %h:22 untrusted.server.com Host * ControlMaster no ForwardAgent no PasswordAuthentication no HashKnownHosts yesMonday, July 2, 12 36
  37. 37. Live long and prosperMonday, July 2, 12 37
  38. 38. References RTFM :) RFCs 4251-4256,4335,4344,4345,4419,4432,4462,4716,56 56 http://www.linuxjournal.com/article/9566 http://pamsshagentauth.sourceforge.net/ http://www.jedi.be/blog/2010/08/27/ssh-tricks-the- usual-and-beyond/Monday, July 2, 12 38

×