[Ach] More OpenSSH Hardening

Wasa Bee wasabee18 at gmail.com
Wed Jan 7 12:23:15 CET 2015


there are possible race conditions on the creation of the file, e.g. if the
implementation creates the /tmp/file and THEN sets the permission, rather
than doing it atomically at creation time. There are also possible error
handling problems such as what happens if the file already exists and
belongs to malicious user, or if the file already exists and is a link to
malicious user's file. In these cases, the malicious user could update the
file after it has been written to.

On Wed, Jan 7, 2015 at 11:09 AM, Axel Hübl <axel.huebl at web.de> wrote:

> On 07.01.2015 08:51, Sven Kieske wrote:
> > On 07.01.2015 02:48, Axel Hübl wrote:
> >> Hi,
> >
> >> I just found
> >> https://stribika.github.io/2015/01/04/secure-secure-shell.html
> >
> >> with quite clear explanations.
> >
> >> Especially I didn't realize there is a /etc/ssh/moduli file for the
> >> DH params in OpenSSH - we might want to add that, too.
> >
> > This part is very insecure on systems with multiple accounts
> > as everyone can write to /tmp/ , resulting in an overwritten file
> > by a third party:
> >
> >> ssh-keygen -G /tmp/moduli -b 4096 ssh-keygen -T /etc/ssh/moduli -f
> >> /tmp/moduli
> >
> > And this person cares about security..
>
> For me (debian linux),
>   ssh-keygen -G /tmp/moduli -b 4096
>
> creates a -rw-r--r-- file in /tmp/ with my ownership. So other users
> should not be able to overwrite that. Did I miss your point?
>
> An other minor is that restarting a ssh-server should not harm existing
> connections at all, as nervously stated in the last paragraph.
>
> nevertheless, let's focus on the interesting points, we can provide
> feedback to the other parts if someone feels to.
>
> Axel
>
> >
> >
> > kind regards
> >
> > Sven
> >
> > _______________________________________________
> > Ach mailing list
> > Ach at lists.cert.at
> > http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> >
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/ae1dfbb2/attachment.html>


More information about the Ach mailing list