nications SecurityThe parts of this paper which refer to c o m m e r c i a lSSHare based on SSH Secure Shell 32 Starting with version 40 this product is known as SSH TectiaAutomation tools receive li ID: 868368
Download Pdf The PPT/PDF document "SecureAutomation Achieving LeastCisco Sy..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 SecureAutomation: Achieving Least Cisco
SecureAutomation: Achieving Least Cisco Systemstheir functions, often including escalated privileges on remote machines. Toachieve this,can be abused by attackers. Most of all, with the complexity of todaysenvironments, it becomesharder for administrators to understand the far-reaching security implications of the privileges theyoverall security of an environment. Wewill cover simple attacks against SSH, sudo and setuidsetgid scripts and directories, sudo and sticky bits. Wewill demonstrate how to properly limitIntroductionSince its introduction in 1995 by Tatu Ylonen,ous r-commands (rsh, rexec, rlogin), SSH providesing and traffic sniffing attacks, all of which were sig-nificant problems with the r-commands. SSH was ini-word. Today it provides per-host and per-commandSetuid (also called suidorSet UID) allowsaUNIX program to run as a particular user.Ifthe exe-will run as the root user,giving it
2 privileges that may nications Security.T
privileges that may nications Security.The parts of this paper which refer to c o m m e r c i a lSSHare based on SSH Secure Shell 3.2. Start-ing with version 4.0, this product is known as SSH Tectia.Automation tools receive little security review,author sexperience. If you have a similar environ-2004 LISA XVIII November 14-19, 2004 Atlanta, GA203 SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapiercan get to that key,she will have complete con-Sudo hijacking. In sudosdefault configuration,enabled user can hijack that users sudo privi-leges even without access to the users password.Without great care, limited sudo can be triviallyusers are obvious targets for attackers. Errors inWell discuss how to mitigate all of these.Itstempting to simply blame coder lazinessfor this situation, but this isntthe case. There are sev-Trust in instant security.Neither SSH norsu
3 do can be simply dropped in placeand
do can be simply dropped in placeandcan be difficult without tearing down some ofits benefit. Similarly,sudo introduces several Throughout this paper,the term SSH keywill be usedAdded complexity.Many of the techniques inalone get working securely.Ifdevelopers areonly rewarded for functionality,then there isgoal of layered security.particular users account is compromised, for whateveras much as possible. This is why dontyou trust me?should never be the argument for excessive privileges.one might ask why would we have hired these peopleif we didnttrust them?Least privilege has little toneed for.How strictly needisdefined is a serioustrade-offtoconsider,but just requiring that an admin-204 2004LISA XVIII November 14-19, 2004 Atlanta, GA SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapiermanage. OpenSSH and most free Microsoft Windowsfrom a central LDAP serv
4 er,but for installations usinggenerated,
er,but for installations usinggenerated, it should be added to LDAP.For environ-ments with multiple networks supported by differentorganizations, or for dealing with servers outside ofwhich contains the official list of server keys. This filehosts is generally only effective within an organiza-organizations host keys. Furthermore, since the users(generally as far as the central support organization).add the key to the users known_hosts, stored in /.ssh.good way to determine the authenticity of the key.Once a key has been added to the users known_hosts,however,SSH will warn the user if a server everresponds with a different key.This could indicate thatamachine is being spoofed. Unfortunately it couldwarning is legitimate. Toavoid these problems, it isscripts have no way to respond to the new key,theyAuthority,clients can rely on their authenticity without parallel for Windows clients.ssh_known_hosts o
5 r LDAP.Unrestricted sudo effectively cre
r LDAP.Unrestricted sudo effectively creates additionalsteal. Each administrators password must now be pro-the administrators regular account. Doing so willthe sensitive password. Alternately,sudo can be com-the scope of this paper.can make use of the victimssudo privileges without thevictimspassword. Sudo uses tickets, files that are cre-ated to only require a user to enter her password at cer-per-user basis, so if the user is logged on multiple TTYsthe victim user,then the attacker can piggyback on thevictimssudo privileges even without the victimspass-afive minute (by default) window to use sudo without acomplete solution is to turn offpassword cachingentirely,either by compiling with --with-timeout=0 orfiguration file, /etc/sudoers.Doing so completelying their passwords repeatedly.Since root shells cannotbe easily logged, this is a significant auditing trade-off.--with-tty-tickets or set tty_ti
6 ckets to oninsudoers.solution, howev
ckets to oninsudoers.solution, however.The attacker can still attack the vic-timslogin scripts to have the attack happen within the make use of another users SSH key.This seldom impacts206 2004LISA XVIII November 14-19, 2004 Atlanta, GA SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapierdomains. The fromoption accepts a comma sepa-the private key,and then will still have to poison orcompromise DNS in order to make use of that key.Most extended SSH features can be turned offonaper-key basis. This includes X-forwarding, port-for-warding, PTY-generationgenerally a good idea to turn offany features youdontneed. For example:Controlling Sudotrust the attacker who gains access to the users pass-Permission to run commands in a user-writabledirectory.emacs, ed, edit, more, less, find), though ver-Access to rootscrontab or atjobs (crontab,Any command that honors PAGER, EDIT
7 OR, through host keys, but it doesntpro
OR, through host keys, but it doesntprotect servers from hostileclients. If a user shows up with the correct user key,noclient host key checking is done. Even with the fromre-striction, only the DNS name is checked, not a host key,Many UNIX commands, most notably ls, have differentnewline handling if there isntaPTY.Ifyour tool canthan-used to get /etc/shadow for offline cracking, orattacks like sudo sudo /bin/sh. There are!SHELLS entry.Ifyou need these options, theneasily gain a root shell anyway.Wi t hthe release of sudo 1.6.8, two new featuresbeen very difficult to provide in a controlled way with- - e option to sudo, also accessible by runningtarget file that is owned by the user.The user is thenoriginal file with the temporary copy.Inthe past, somethings much easier.Toallow a user to use sudoedit,treat it like any other command, but dontgive a fullpath to it. The alias sudoeditrep
8 resents eithersudoedit, or sudo -e.
resents eithersudoedit, or sudo -e. By appending a filename, youwill tell how effective it is in practice.For example, letsconsider a script mysqllog,against /etc/shadow,and if successful, displays [SUDO], sudoers man page, NOEXEC and EXEC.IX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It does notwork on AIX and UnixWare. [SUDO]208 2004LISA XVIII November 14-19, 2004 Atlanta, GA SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapier open( INFILE, "$file.bak" )or die "$!";open( OUTFILE, "$file" )or die "$!";close INFILEor die $!;Figure5:update_errorlog in Perl.Setuidissometimes confused with run asroot,but this need not be the case. Setuid can be usedthe file to that user.special user.For example, if a script needs access to afile containing a password, theresnoreason that filethan non-root setuid. As we saw in the Non-rootkeyssection, creating a group to m
9 anage configura-serving the users own p
anage configura-serving the users own privileges (such as access toeffective UID.by the user,giving an attacker an opportunity to studymachine to test possible exploits offline. execv(CMD, av);snprintf( error, sizeof( error ),"Unable to run %s",CMD );perror( error );exit( 1 );}Figure6:myscript.c setuid wrapper. security flaws in it, then this technique wouldntbeneeded and using this technique doesntprevent anattacker from exploiting your scriptssecurity flaws. Itjust makes finding the flaws harder.cial handling to make setuid scripts safe(thoughshell scripts setuid safely.Most operating systemsdonteven allow this anymore. manipulation of PATHorIFS, and timing-based attacksing systems, but because of Bourne shellsreliance on exter-210 2004LISA XVIII November 14-19, 2004 Atlanta, GA SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapieradelay between when LDAP is updated
10 andwhen the change takes effect.Atool th
andwhen the change takes effect.Atool that would automatically determine trustAvailabilityavailable at http://www.openssh.org. Atthe time ofSSH Secure Shell, discussed in this paper,hasbeen replaced by SSH Tectia. Both are commercialrity (http://www.ssh.com). Where this paper refers tomost recent version is SSH Tectia 4.1.Sudo is freely available and maintained by ToddMiller (Todd.Miller@courtesan.com) at http://www.tures of the upcoming 1.6.8 are discussed in this paper.mise the system as a whole. Wehave discussed prob-.Hecan be reached electronically atrnapier@employees.org.References[SUDO] Miller,Todd,,http://www.courtesan.com/sudo ,2003.2003.OpenSSH Manual,http://www.openssh.org/manual.html ,2004.[SSH] SSH Communications Security,SSH SecureShell for Servers Version 3.2.9 Administrators,http://ssh.com/support/documentation/online/ssh/adminguide/32 ,2003.212 2004LISA XVIII November 14-19, 2004 Atl