Re: S/Key keyinit(1) authentication (lack thereof) + sudo(1)

[Derek Martin <ddm () pizzashack org>]

On Sun, Sep 02, 2001 at 01:16:18PM -0500, Frank Tobin wrote:
> 1) Have sudo(1) installed on a machine, along with S/Key.
>
> 2) Login as a user with root-granted-by-sudo privileges, and get a
>    terminal.
>
> 3) Run keyinit(1) to generate a new sequence, and use key(1) to get a list
>    of OTP's.
>
> 4) Run sudo, and use the correct OTP to authenticate.
>
> 5) You now have root, without *ever* having to do anything besides be at a
>    user-level terminal.

This isn't really true.  While I don't think adding authentication is
a bad idea, where compromises occur via this mechanism, your real
problem is different from what you outline.  You DO need to have
access to a root level terminal, albeit through sudo.  This means you
need either:

 - have permission from the admin team to run sudo
 - have compromised the account of a system adminstrator or other
   person who has root priviledges through sudo

In the first case, you're either a system administrator, or you should
have very restricted access to what you can run with sudo.  If you're
a malicious user AND you're a system administrator, and/or you have
unrestricted root priviledges, as we all know the system's already
screwed, as there is no protection from a malicious root user.  If
they don't steal your account this way, they'll find any one of a
hundred other ways to do it.

In the second case, the administrators have not done a good job of
securing their environment.  Any account which has privileges to run
programs as root should be treated as requiring the same security as
the root account itself.  If the account is an actual admin account,
shame on the admin!  Admins should realize that their account is just
as important to secure as the root account.

If the account is some non-administrator with sudo priviledges, the
admins have not adequately limited what that user can run with sudo,
and have not done a good job in educating that user how to keep their
own account secure.  The user with root privileges (like all users,
actually) has the responsibility to use good passwords and not share
them with others, lock his terminal when he leaves it, etc. in order
to keep his account secure.  It should be stressed to all users who
are given sudo priviledges that these things are especially important
for them, as failing to do it can get your whole network compromised.

The malicious user also needs to know WHO has sudo priviledges.
Keeping the sudoers file non-readable by regular users will help a bit
here, though in general it's probably safe to assume that the admin
team uses it, if it's installed.  

So again, while adding authentication is not a bad idea, your real
problem here is teaching your users and/or admins to safeguard their
accounts and configure sudo properly.  If you don't do this, then 
authentication in keyinit is really irrelevant, as malicious users
will find lots of other ways to accomplish their goals.

-- 
---------------------------------------------------
Derek Martin          |   Unix/Linux geek
ddm () pizzashack org    |   GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu