Bugtraq mailing list archives

Re: Bug in SSH1 secure-RPC support can expose users' private keys

From: "Richard E. Silverman" <res () shore net>
Date: Sat, 20 Jan 2001 23:50:41 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Thu, 18 Jan 2001, Andy Polyakov wrote:

In my environment I can *never* see key_encryptsession returning the
success value in the lack of my secret key and I get "run keylogin" all
the time... So that it must be something specific to Richard Silver-man's
NIS+ (mis?)configuration... And indeed, it appears that if
/etc/nsswitch.conf is configured with "publickey: nisplus files" keyserv
falls down to nobody's key-pair found in /etc/publickey and uses that
private key whenever user private key is not around.


This appears to in fact be what's going on.  I wrote:

res> ... most of the time, key_encryptsession returns success instead, and
res> appears to have encrypted its argument only with the public key of
res> the target netname, simply skipping the other encryption step.  This
res> produces a magic phrase which can be generated easily by any other
res> user on the system.

I said "appears" because I wasn't sure exactly what was going on.  The end
result was a key that could be produced by any user without access to my
RPC private key, so I made a guess that the common, public element was my
RPC public key alone.  I wasn't aware of the "feature" of falling back to
using nobody's credentials.

I have confirmed that either running "keyserv -d", or deleting nobody's
secure-RPC keys, makes the bug go away.  So it seems clear that the real
mechanism at work is the fallback to using "nobody"'s secure-RPC keys, to
which all users have effective access.

I assume the reason Andy could not replicate the effect, is that he was
using NIS+.  My test cases used the /etc/publickey file alone -- perhaps
the "nobody fallback" does not work with (certain configurations of?) NIS+
due to table permissions.

FIX:


I should recommend to configure NIS+ properly instead...


While I agree that it would be better to disable the fallback-to-nobody
feature when configuring secure-RPC, I do not agree with recommending this
"instead" of applying the fix I suggested.  There's no reason to leave a
serious vulnerability in SSH1 which is triggered by an easy and common
host OS configuration.  The fix is simple and prevents the problem,
regardless of how secure-RPC has been configured.

- --
  Richard Silverman
  slade () shore net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: pgpenvelope 2.8.10 - http://pgpenvelope.sourceforge.net/

iD8DBQE6amqmRF4zsgDn/HcRAjt9AKC9aITLFgso7dE1CbYNZ6jUfA++AACeJ1me
hl6v6eMXN/ZR+GcGWo32J3s=
=yZpu
-----END PGP SIGNATURE-----

Current thread:

Bug in SSH1 secure-RPC support can expose users' private keys ssh2-bugs (Jan 16)
- Re: Bug in SSH1 secure-RPC support can expose users' private keys c0n (Jan 17)
- Re: Bug in SSH1 secure-RPC support can expose users' private keys Andy Polyakov (Jan 18)
  - Re: Bug in SSH1 secure-RPC support can expose users' private keys Richard E. Silverman (Jan 22)