ssh - no added security?
Sune Rastad Bahn
srb at dmi.dk
Tue Mar 25 13:01:11 CET 2003
Mark Hedges wrote:
> > Does it really matter that the install client uses ssh to save
> > log files, and that ssh is used to access the install client
> > from the server?
> >
> > Since the client mounts the filesystem containing its secret
> > keys with nfs, the secret host key and user key pass in the
> > clear from server to client when the client opens them to make a
> > connection.
>
> It seems also that make-fai-nfsroot copies the host keys of the
> installation server to nfsroot rather than generating new keys.
> debootstrap does this. The copied host keys need to be removed
> and then a `dpkg-reconfigure ssh` will generate new ones for
> the nfsroot environment.
>
> Did the old version do this? That would mean that until now,
> server host keys have been compromised as well as login keys,
> because the client opens them through the cleartext nfs mount.
>
> I will try to write a patch in the next couple days that fixes
> this problem with make-fai-nfsroot, and the problem of copying
> the correct host keys into the client's known_hosts file that
> Radek Hnilica <ML at hnilica.cz> reported... unless someone already
> did this...?
>
> Then, at least, the only sensitive secret key that will pass
> through the cleartext nfs mount will be the fai user's login key.
>
> --mark--
Dear Mark,
the question of security during fai installation is a very interesting one.
We have worked a bit on tightning the security of fai but have not had the
time to submit our patch yet. Our goals was:
Make sure that the security of the fai-server is not compromised.
As a secondary goal we would try to make sure that the security of a machine
which is installing from the fai-server is not compromised unnessary during
installation.
As you also points out, just going from rsh to ssh helps very little in
securing the system, since the key used has to be available on the nfs mount.
One has to be a little more careful.
Let's analyze the situation a bit. We need the client to be able to tell the
server when the installation is done. Futhermore we need to move some files
to the server, and perhaps do some minor changes on the server, such as
changing tftpboot/bootp files (depending on the setup).
The unmodified setup involves letting the client login password less to a
special account on the server and do all the necessary things there. The
problem is that in reality anyone can read the nfsroot and use the
information to get the access to the fai server (after which a local exploit
would be enough to get full control). To remedy this situation we made a
setup where the client has minimal influence on the fai-server. Instead of a
full login shell, the special account on the fai-server has a special login
script designed to do the necessary actions. This means that all the client
can do is tell the server that it is done. From the client point of view the
situation is the following:
What I have (via nfs): A private key to trigger the fai-server script. A
public host key to make sure I connect to the right host.
Notice that the client doesn't have the public part of the key to contact the
faiserver. This is kept secret on the server. Actually this is not added
security since it just plays the same role as the host-key but still, it
doesn't hurt either.
An intruder on the network will be able to very easily trigger the script on
the fai-server, but if the script on the server is well designed this will
not give any more control to the intruder. If the intruder is more clever he
can intercept the nfs communication so in theory there will be no way to
avoid an attack of the client during istallation. As an example, the intruder
can simply hijack the root nfs-mount already during bootup, giving complete
control over the client. To avoid such an attack one would have to rethink
the whole bootup process (including bootp/dhcp and tftp). If you're this
paranoid, you probably shouldn't install over network anyway!
Having accepted the possibility that the client is taken, puts even more
emphasize on making sure that a rotten client wont compromise the server.
OK. Lets now look at the situation from the server point of view.
The special fai account should be locked down as tight as possible, that
means:
No valid passwd.
Only access through ssh (with valid key).
No login shell, only a carefully crafted loginscript.
Home directory on nonshared drive.
Proper tight permissions on all relevant files.
Since we dont want the client to be able to control whats going on, the
copying of files will be initiated by the script, not by the client. Hence
the server needs to be able to login to the client passwordless. This is done
by placing the public part of a key in the authorized_keys file on the
client. The private part is kept secret on the server. This wont compromise
the safety of the client further, since you need login access to the fai
account on the server, which you can only get by rooting the server, in which
case you have easy access to the client anyway.
So the server has the following:
The public part of the client key is in authorized_keys (the private part is
in the nfsroot).
The private part of the fai-account key (the public part is in authorized_keys
in the nfsroot).
The host_key of the server (the public part is in the nfsroot)
The host_key of the client (the private part is in the nfsroot)
We believe that our setup is very secure with respect to the fai-server.
Probably the server is more vulnerable due to possible flaws in the various
services (nfs, tftp,bootp and ssh), than any insecurities introduced by the
fai setup. At least as long as we believe that the loginscript has no
security issues :-)
How about the security of the clients then? Well, any client installed
before an intruder is on the network should in principle be as safe as any
other linux install. Great care should however be exercised to avoid default
password etc. In our setup we have completely avoided valid password on the
root account and only allow ssh with a valid key. This way we avoid that a
taken client will allow a brute force attack on the /etc/shadow to reveal the
rootpasswd on all clients. In general the fact that the clients are more or
less identical stresses the point that "there is no security through
obscurity possible". One should therefore make sure that being root on one
client will NOT make it easier to become root on any other client. This is
not an easy task, but it is possible.
If an intruder is present on the network, then any new installation is in
theory compromised. There is therefore only one way to deal with it. Get rid
of the intruder, and reinstall all machines installed after the intruder got
in. In practice this means reinstall ALL clients. This is probably the only
way to make sure the intruder is really gone, and since it is probably
impossible to figure out when he got in, its better to be safe than sorry
anyway. Luckily with fai, the reinstallation can be done quite easily. Simply
turn off power for all client. When all machines are down you can reinstall
them one at a time or all together as you like by turning on the power.
If you believe that the server is also compromised, you have to reinstall that
as well, but thats another story...
I hope this long story can help you in securing your system. I also hope to
get time to create the patch for fai, to allow our setup to be used other
places, and finally I hope to get time to document the setup more precise
than I have done here.
Any comments, especially security issues we might have overlooked is very
welcome :-)
--
Sune Rastad Bahn
Systemadministrator
Danmarks Meteorologiske Institut
Lyngbyvej 100
2100 København Ø
Direkte tlf. : 39157562
Email: srb at dmi.dk
More information about the linux-fai
mailing list