LTSP5

Bug #1324545
Comment #1

Comment 1 for bug 1324545

Revision history for this message

Vagrant Cascadian (vagrantc) wrote on 2014-05-29: Re: [Bug 1324545] [NEW] [14.04] ssh server on thin client broken by default

On Thu, May 29, 2014 at 01:48:12PM -0000, Jakob Unterwurzacher wrote:
> The line
> etc/ssh/ssh_host_*_key
> in
> /etc/ltsp/ltsp-update-image.excludes
> excludes the ssh host key from the nbd image. This means that an installed ssh server is broken by default, and you get lines like
> sshd[2378]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
> in the syslog.

True. By default, the clients do not have a functional ssh server. The keys
could be regenerated at boot (which means there would be no way to verify them)
or copied from some other location at boot (which means they would not be
secure).

> The reason for excluding it probably is that the host key is secret, and
> everything that goes in the nbd image is essentially public.
>
> However, exposing the host key does NOT compromise ssh sessions ( http://security.stackexchange.com/questions/54852/server-side-ssh-keys-compromised ).

After reading the article referenced, this seems like a misinformed conclusion...
There are many ways those keys could be used to compromise both the server and
the clients in question. The most obvious is MITM attacks, but you could also
gain significant data by capturing all network traffic and processing the
conversations later...

> Exploiting the exposed key would need a full man-in-the-middle attack. And if the attacker can to that, he can also set up a rogue DHCP server and own everything.

A major purpose of public key crypto in ssh is to detect and mitigate the
impact of man in the middle attacks, so this seems a bit backwards
thinking...

While DHCP server is a weak point in the security of an LTSP installation,
we don't have to throw out all attempts at securing the sessions because
there's a weak point in the chain. Not to say we shouldn't be aware of the
weaknesses in our security, but it's not a good excuse to further weaken the
security.

> What IS a problem, however, is password authentication via ssh. As the
> /etc/shadow is public in the nbd image, it can be cracked and then used
> to connect to running thin clients.
>
> Instead of excluding the ssh host keys, I suggest to append
> "PasswordAuthentication no" to the thin client's /etc/ssh/sshd_config .

I think storing the shadow file in the image by default is a security issue,
unrelated to weather or not sshd on the client allows password-authenticated
connections... That seems like a policy decision for the network
administrator on a per-site basis, not the LTSP developers.

live well,
vagrant

On Thu, May 29, 2014 at 01:48:12PM -0000, Jakob Unterwurzacher wrote:
> The line
>     etc/ssh/ssh_host_*_key
> in
>     /etc/ltsp/ltsp-update-image.excludes
> excludes the ssh host key from the nbd image. This means that an installed ssh server is broken by default, and you get lines like
>     sshd[2378]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
> in the syslog.

> The reason for excluding it probably is that the host key is secret, and
> everything that goes in the nbd image is essentially public.
> 
> However, exposing the host key does NOT compromise ssh sessions ( http://security.stackexchange.com/questions/54852/server-side-ssh-keys-compromised ).

> Exploiting the exposed key would need a full man-in-the-middle attack. And if the attacker can to that, he can also set up a rogue DHCP server and own everything.

A major purpose of public key crypto in ssh is to detect and mitigate the
impact of man in the middle attacks, so this seems a bit backwards
thinking...

> What IS a problem, however, is password authentication via ssh. As the
> /etc/shadow is public in the nbd image, it can be cracked and then used
> to connect to running thin clients.
> 
> Instead of excluding the ssh host keys, I suggest to append
> "PasswordAuthentication no" to the thin client's /etc/ssh/sshd_config .

live well,
  vagrant