[Ach] More OpenSSH Hardening
Sven Kieske
svenkieske at gmail.com
Wed Jan 7 14:00:26 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07.01.2015 12:09, Axel Hübl wrote:
> For me (debian linux), ssh-keygen -G /tmp/moduli -b 4096
>
> creates a -rw-r--r-- file in /tmp/ with my ownership. So other
> users should not be able to overwrite that. Did I miss your point?
Well yes,
it's good to see the file gets at least created with somehow safe
permissions, but:
1. what if the file is already there before ssh-keygen generates
it(with different permissions)?
2. what if it is an symbolic link e.g. to any system file, will
the command overwrite it?
there are lots of recommendations for secure tmp usage
including, but not limited to the mktemp command:
http://unixhelp.ed.ac.uk/CGI/man-cgi?mktemp
here are some recommendations and detailed explanations from a cert:
https://www.securecoding.cert.org/confluence/download/attachments/3524/07.5+Temporary+Files+v2.pdf
here from owasp:
https://www.owasp.org/index.php/Insecure_Temporary_File
Anyway I just did a fresh debian install and checked myself:
root at localhost:~# ls -lashin /tmp/moduli
2566 0 -rwxrwxrwx 1 1000 1000 0 Jan 7 07:35 /tmp/moduli
root at localhost:~# ssh-keygen -G /tmp/moduli -b 4096
Wed Jan 7 07:43:23 2015 Sieve next 268304384 plus 4095-bit
Wed Jan 7 07:58:00 2015 Sieved with 203277289 small primes in 877 seconds
Wed Jan 7 07:58:11 2015 Found 221867 candidates
root at localhost:~# ls -lashin /tmp/moduli
2566 225M -rwxrwxrwx 1 1000 1000 225M Jan 7 07:58 /tmp/moduli
So if the file already exists ssh-keygen does not recreate
the permissions.
HTH
Sven
PS: Anyway of course a nice writeup
but as you can see it's really hard to get every aspect of security
right.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBAgAGBQJUrS3qAAoJEAq0kGAWDrqlO2oMAIQfS0sCdAG5esFJiuJW+gVh
QnjkYp4A+qWQAbrYBA2d5GXOC0Ca9bJ/W73l6IZVa8zFsqiW/Zo4QrQTwUDp7c52
4ZOcMdggcJf/BAWXHKdr6beN8nuF9CPEHjWWHh1K8jFCLPC3U9VBAS6Rv2lWNQx0
+Z3qOd6h09SoHJkXm/OMtMfiLCmEO4KxYf/XiU5ldVT32O+hZ7ssBBNTnyaQ35hd
9e4faZhnqYCcKW2jtC5vg4XhAscVZL39Zz8X+xBp3jzjpP+KcWPQCHjnx3MpgCXP
mQD+jkhwvtzmvGFWFYltU1cnKOwJv5lc6PGabO/lGL+k4t8t433RnN17Sd9cofRz
qVitUGR6McNzpK1EvqBbC5a4h6c43uhMJ8vA2yISXQ2QNUTbMKcBT7op2qus9bin
j6PwnbhnJUAvOcuckyqWWCZ7RJDGzADKhBKsIR+1ohpLMEASkb7qHZ3m6S54y+49
P8QetWSkbJZn6rQvxXMvTga8DV1tRYSweZuQsWHvzw==
=f7Qz
-----END PGP SIGNATURE-----
More information about the Ach
mailing list