On Mon, 8 Dec 2003 13:16, Patrick Ouellette <[EMAIL PROTECTED]> wrote: > On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote: > > instance is the hacker sniffed the password, and then logged on to > > Debian's servers later at his leisure from a different PC. With a > > Instead of a smartcard/token/whatever physical device, this incident > could possibly have been thwarted by requiring developers to pre-register > their machine with the project (using ssh host key for example). The > attacker would have the user's account information, but project machines > would have refused access since the host id did not match the user's > registered hosts. Then the project machine could have alerted both the > project's admin team and the owner of the compromised account.
One problem with this is developer's machines that are on dial-up Internet connections. In the case of such machines you can verify the host key but not the IP address. Therefore if the machine is cracked then the host key can be stolen and the machine impersonated. Another problem is that host keys require SUID ssh client in the default configuration. This is bad in that a ssh client can potentially be used to crack the machine, and it can potentially be used to steal the host key. If we change ssh to be setgid not setuid for host based authentication then things will be marginally improved. But another thing that should be done is to have ssh support for the host key used for host-based authentication not being the same as that used for incoming ssh connections. But this still leaves the issue of how to deal with dial-up machines. Even if we restrict connections to a single ISP as often dial-up machines are not used with multiple machines, this still isn't necessarily much good, some dial-up ISPs have >50,000 IP addresses. Finally, if the attacker can compromise the machine and the machine is online (EG permanently connected machines) there's no good options. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
