Bugtraq mailing list archives
Re: OpenSSH 3.4p1 Privsep
From: Artem Chuprina <bugtraq () ran pp ru>
Date: Wed, 18 Sep 2002 01:00:32 +0400
On 2002.09.16 at 17:48:42 -0400, Andrew Danforth wrote:
During authentication, OpenSSH 3.4p1 with privsep enabled passes the cleartext password from the main process to the privsep child using a pipe. Using strace or truss, root can see the user's plaintext password flying by. I observed this behavior from OpenSSH 3.4p1 built using GCC on Solaris 2.8 and the current Debian OpenSSH 3.4p1 package. Theo and Markus tell me that this is not an issue. Theo says that you cannot prevent root from determining a user's password. I don't disagree, but asked why OpenBSD bothers to encrypt user passwords at all if that is his attitude.
Because these passwords are stored. That is, if /etc/shadow is stealed by malicious user because of administrator's mistake, it is a challenge for that user to get passwords from their encrypted state. This is not an issue for temporary objects, that's why pipes are considered secure.
The level of effort to determine cleartext passwords, for even the most inexperienced Unix administrator, is almost zero given the above. I realize that no matter how you slice it, it will be possible for root to grab the password from wherever it's stored in memory. Or recompile sshd to log the password, or any number of other ways. However, the methods I just mentioned all require someone with significantly more know how than: truss -fp `cat /var/run/sshd.pid`
It is also trivial to read process' memory and so on. -- Artem Chuprina <ran () ran pp ru> FIDO: 2:5020/122.256
Current thread:
- OpenSSH 3.4p1 Privsep Andrew Danforth (Sep 18)
- Re: OpenSSH 3.4p1 Privsep eric (Sep 18)
- Re: OpenSSH 3.4p1 Privsep Artem Chuprina (Sep 18)
- Re: OpenSSH 3.4p1 Privsep Just Marc (Sep 18)
- Re: OpenSSH 3.4p1 Privsep Peter J. Holzer (Sep 19)