The OpenSSH Bug That Wasn't | Better HN

86 comments

44 comments · 10 top-level

geerlingguy10y ago· 22 in thread

Key takeaway:

> And as several correspondents have reminded me already -- switching your sshd to keys only authentication will let you sleep better at night.

Even with fail2ban and limited retries, there's no excuse for using password-based authentication anymore. Use an SSH key, protect the key with a password, and turn off password login on all your servers.

Other than that, the main gist of this post is: on most platforms, the default settings for remote login already make brute-force login attempts annoying at best, and with fail2ban or something similar, it's a non-issue.

heywire10y ago

I've always wanted to disable password based auth, but I am worried that if I need to connect to my machine in a pinch from some random device (wife's phone, borrowed machine from friend, work, etc), that I won't be able to connect. How do people get around this? Keep in mind that I'm talking about home machines and hobby VM instances, I do not manage any production servers or anything.

tjohns10y ago

Use a YubiKey Neo keychain dongle: https://www.yubico.com/products/yubikey-hardware/yubikey-neo...

Normally they're used for OTPs or Chrome's FIDO U2F auth scheme, but you can also put them in smartcard mode. If you do this, you can use it as an OpenPGP key, which is also compatible with SSH:

https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubike... https://www.yubico.com/2012/12/yubikey-neo-openpgp/

Just about the only place that won't work is on a phone. Technically it has an independent NFC interface which could probably be made to work with some extra development, but I haven't looked into it.

e12e10y ago

With newer ssh, you could always switch to two-factor authentication, requiring password and a One Time Password via Google Authenticator or another OTP implementation.

That way a brute force attack would essentially need to gain access to the shared OTP secret in order to be successful (assuming ~few/normal user population. With a 6-digit otp, I suppose the value of otp drops if an attacker can try to log in as ~1 billion users in parallel -- but it's not really a scenario most of us have to worry about).

Another option is to use ssh certificates. As long as you are able to make yourself new user certificates, you can log in. One bonus with certificates is that they can be set to expire, unlike keys.

kryptiskt10y ago

Put a key on your phone or an USB stick. I make a key for every machine that I have, and that keys never leaves that machine. In addition I keep another key that I can use to get started again if my laptop gets stolen or breaks.

If I lose the phone, there's a pretty good password on that key that should give me ample time to remove access rights for it.

UnoriginalGuy10y ago

Create a normal user, DON'T add them to the sudo group (or any other special group), and then generate keys for them. Store those keys in some online "cloud" storage (DropBox, Google Drive, OneDrive, et al).

Then if you need to get in, download the key, type in the password, login as that user, and the su up to root by entering the password only you know.

As an additional layer of security you could encrypt the key using AES-256 (e.g. 7Zip archive, Microsoft Office's Word .docx (NOT .doc) format (just drag drop the file into Word, "Encrypt with password") now AES-256 encrypted, others).

Now you have four layers of protection:

- su password.

- Key password.

- AES-256 encryption password.

- "Cloud" storage credentials.

semi-extrinsic10y ago

Use a stepstone. This is really only feasible if you can get a user account some place where they take network security seriously.

(A stepstone is a well-protected server where you can log in with user/pass and use your keys to login to other machines from there.)

larrys10y ago

ssh keys on USB attached to your physical house and car keys with encryption (say an encrypted volume).

Don't note what machine or where the key has access to either. I know purists will take issue with this but it's a solution to a problem as you have detailed.

Obviously only works from "borrowed machine from friend work etc" unless you can get the key from a machine to "wife's phone".

chei0aiV10y ago

Don't connect to your servers from machines you don't/shouldn't trust.

cbsmith10y ago

Think of it this way. If you created a private key and uploaded it to a public website where everyone could get to it (say you posted it to HN ;-), how exactly is your system less secure than with password based auth?

You still need a passphrase to decrypt the private key. If you bump up the number of trials, you can make decryption even slower. It's going to be harder for someone to crack that than a normal brute force against a password.

Now, if you put that key behind a decently secure storage service that you use TFA to access, that's actually way more secure than just using a password.

Given that, the question ought to be whether you upload the private key to the cloud, or try to manage the private key yourself. Password based authentication shouldn't be one of the options you are considering.

feld10y ago

Unless they can provide a username that crashes fail2ban via blowing up the regex parsing... and then they get all the free tries they want.

fail2ban/sshguard/etc are not infallible. Someone will find a way to break them.

mzs10y ago

I think fail2ban does not do IPv6 yet.

voidlogic10y ago

To secure SSH, the more I care about a system the farther down this list I go.

  1. Disable root
  2. Use keys, disable passwords
  3. Install fail2ban
  4. Restrict incoming subnets
  5. MathAuthTries = 1
  6. Run on high random port
  7. Use port knocking

moe10y ago

1. Disable root

This doesn't add any security, it only makes your admin life miserable.

steckerbrett10y ago

If your threat model has someone stealing your private key and breaking/obtaining the password to it, none of the other measures are going to mean anything as they have root on your box. With root they can bypass the access restrictions, knocking, whatever else. 2FA with an external device would probably make more sense than any of them and be significantly less irritating.

scintill7610y ago

I've been toying with the idea of making a tool to derive SSH keys directly from memorable passphrases, with something like scrypt. Almost as convenient as a normal passphrase, almost as secure as a random key! ("Secure" because presumably no script kiddies are bruteforcing keys like they are bruteforcing passwords.)

Besides the dubious security value, another reason I haven't bothered is that if you don't have convenient+secure access to a proper key, you're not going to have convenient+secure access to the key generator either. Maybe it could still be an excuse to learn a new language and how SSH keys work. I don't know if I could rationalize even tossing it up on Github with warnings though.

cbsmith10y ago

Yeah, I'm not seeing the point of doing that. You might as well create the key, encrypt it with the passphrase as per usual, and then post it online for all to see.

It's effectively the same thing as generating the key from the pass phrase, except you are mixing in a nice giant product of two primes in to the mix.

nickpsecurity10y ago

Generating simple ones then encrypt & MAC them with password-derived key seems simpler. There's standard constructions for each step, too.

jandrese10y ago

Then you're screwed when you need to log on to your server from some random machine that doesn't have your key installed.

TheDong10y ago

Good.

If you can login from "some random machine" that means your password is terribly weak as well. Use a password manager, generate passwords with over 100 bits of entropy, and then you can't log into anything without it present. Now start carrying around your password manager on an encrypted thumbdrive, along with your gpg key and private ssh key with the decryption password + password manager password being the only ones you remember.

Any password a human creates and remembers is a problem. The best mitigation is to only remember passwords that are only useful in conjunction with physical access (the password manager / decryption ones).

tytso10y ago

Nope, because my ssh key is on my phone and my tablet, with an ssh client, and I pretty much always have my phone with me.

I do have a USB thumb drive with a bootable standalone system which I could use on a random mmachine --- but even if that solves the problem of exposing my password or ssh keys to a system which has malware on it, I pretty much assume that random machines, especially those at airport lounges or internet cafes, probably have keyboard bugs installed, so I wouldn't really trust my bootable thumb drive on those machines anyway.

I might use the thumb drive on a friend's machine which I really trusted, but most of the time I'd much rather use a trusted machine that I own, such as either my tablet or my laptop, or in the extreme cases, my phone.

jms70310y ago

That's fine. Who knows what happens when you enter your password on the machine or if you have agent forwarding enabled.

cbhl10y ago

You can mitigate this by having lots of machines with your key installed (at least two), in different physical locations.

hyperion201010y ago· 5 in thread

I have disabled PAM by default on all my boxes that run sshd for the last 9 years out of habit, I long ago forgot the reason why (probably because the gentoo sshd handbook entry said it was a good idea). Why UsePAM is set to yes in sshd_config by default on many distros is beyond me.

ajross10y ago

Because PAM is the default authentication framework on all those distros. Yes, it's a disaster of complexity and something pretty much no one understands. But it's what we have.

Maybe a rearchitected replacement will land in systemd someday...

mjard10y ago

Or in pulseaudio as a master troll.

digi_owl10y ago

Would that be systemd-pamd or s-pamd?

ak21710y ago

Key problem: aside from PAM, there is no way to use TOTP-based 2FA on your SSH server. And any modern security setup requires 2FA.

tete10y ago

OpenBSD has bsd_auth and it works well with things like googleauth (HOTP, TOTP), s/key, etc.

I think the problem is that somehow everyone ended up with PAM and are now somewhat stuck with it. FreeBSD too.

cbsmith10y ago· 2 in thread

This really is a bug in how OpenSSH USE_PAM is implemented.

Particularly if you presume that PAM is the devil, the last thing you want to do, from a security standpoint, is to let a client dictate how a server applies PAM. The policy _has_ to be entirely controlled by the server's config. Once you let the client decide, you're just asking for things to go wrong.

acqq10y ago

Yes, and this guy, quoted by the article author:

"I wouldn't call that an OpenSSH bug. I would call it a systemic design flaw in PAM."

is then clearly wrong, it is an OpenSSH bug.

cbsmith10y ago

Well, it sort of isn't, because the OpenBSD team designed OpenSSH to not use PAM at all. PAM was patched in by some folks, and clearly they got it wrong, but I suspect the OpenSSH team doesn't see that as "part of OpenSSH".

j_m_b10y ago· 2 in thread

I am curious as to what happens when this is done with an existent user? I feel like there would be different behaviors for timeouts when a non-existent username is used and when a wrong password is used for an existent username.

feld10y ago

No, the behavior needs to be identical in all failure cases or attackers can use the different feedback to learn valid usernames, etc

j_m_b10y ago

I should have elaborated better. I think that the feedback should in theory always be the same. However, the check for existent user and the check for correct password are different procedures in the program. The program masks this fact by always having one feedback prompt for actions that don't result in login. Perhaps the original bug report only allowed multiple retries for existent users but not for non-existent users, thus shattering the illusion that the feedback is always the same.

feld10y ago· 1 in thread

Thankfully my use of PAM is for 2FA with SSH when I don't have my key. So they wouldn't have been successful in pulling off a bruteforce anyway. But it's annoying that their attempts weren't being limited as it can waste resources...

currysausage10y ago

You wouldn't have a working config at hand for requiring TOTP (Google Authenticator) only for OpenSSH password logins on Debian, would you?

liveoneggs10y ago· 1 in thread

NetBSD is integrating a system called blacklistd to address fail2ban being less than elegant.

http://netbsd.gw.com/cgi-bin/man-cgi?blacklistd++NetBSD-curr...

RexRollman10y ago

Doesn't NetBSD use PAM? It might behave the same way.

baby10y ago· 1 in thread

They talk about FreeBSD in the original article and the guy tests that on other OS and say it's not a serious vuln?

This is a serious vuln for FreeBSD. Period.

glass-OP10y ago

> They talk about FreeBSD in the original article and the guy tests that on other OS and say it's not a serious vuln?

Mr Hansteen is saying it is not a serious OpenSSH vuln, like the tech media is claiming it is.

> This is a serious vuln for FreeBSD. Period.

That's why the original disclosure and subsequent news articles clearly stated it was a FreeBSD and/or PAM vulnerability, and didn't run with headlines such as "OpenSSH keyboard-interactive authentication brute force vulnerability"[0] or "Bug in widely used OpenSSH opens servers to password cracking"[1].

[0] https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-i...

[1] http://arstechnica.com/security/2015/07/bug-in-widely-used-o...

akkartik10y ago

Oh, good old PAM: http://web.archive.org/web/20131205090841/http://deadmemes.n... (Discussed previously: https://news.ycombinator.com/item?id=3325510)

pellaeon10y ago

FreeBSD hasn't released a patch, so I patched it myself.

https://nyllep.wordpress.com/2015/07/25/emergency-fix-for-cv...

gosukiwi10y ago

Lol'd at the blog's title

j / k navigate · click thread line to collapse