LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-01-2014, 07:04 AM   #1
wzis
LQ Newbie
 
Registered: Dec 2013
Posts: 17

Rep: Reputation: 0
could SystemTap be used by malicious person to steal ssh password easily ?


Brendan Gregg has a sample dtrace script to show how the dtrace can be used to steal ssh password or passphrase easily, so people should be careful if someone is running a dtrace script on your system. For same reason I want to know whether the systemtap would also allow malicious person to easily steal ssh password, if so, is there a sample SystemTap program which shows that capability? Just need that to confirm whether we should prohibit user to use the tool on production box under normal situation.

Last edited by wzis; 05-01-2014 at 07:25 AM.
 
Old 05-01-2014, 09:39 AM   #2
fche
LQ Newbie
 
Registered: May 2014
Posts: 2

Rep: Reputation: Disabled
use different privilege levels

Normally, systemtap is an administrative tool that gives the sysadmin (root)
full power to observe and affect kernel / userspace behaviour, including
indeed spying on ttys (see the ttyspy.stp example). You would definitely
not want to hand such power to everyone, just as you wouldn't hand out root
passwords to everyone.

Systemtap also has lower-privilege modes ("stapusr"), which are carefully
limited to allow people to only observe and affect their own userspace processes.
These limitations exclude the ability to spy on other users or on the kernel.
It takes a little one-time setup work for the sysadmin to get this sort of
operation enabled (because it relies on network services & cryptography); see
the privilege-related sections in stap(1) and stap-server(8), and the
README.unprivileged file in the systemtap source/binary distributions.
 
2 members found this post helpful.
Old 05-01-2014, 10:46 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
Furthermore ... you should never be using passwords with ssh anyway. You should always be using keys, and encrypting those keys.
 
Old 05-03-2014, 07:18 PM   #4
wzis
LQ Newbie
 
Registered: Dec 2013
Posts: 17

Original Poster
Rep: Reputation: 0
Thanks for the clear answer!

Quote:
Originally Posted by fche View Post
Normally, systemtap is an administrative tool that gives the sysadmin (root)
full power to observe and affect kernel / userspace behaviour, including
indeed spying on ttys (see the ttyspy.stp example). You would definitely
not want to hand such power to everyone, just as you wouldn't hand out root
passwords to everyone.
Thanks
 
Old 05-03-2014, 08:43 PM   #5
fche
LQ Newbie
 
Registered: May 2014
Posts: 2

Rep: Reputation: Disabled
secure ssh not secure in face of kernel-resident monitoring

Quote:
Originally Posted by sundialsvcs View Post
"you should never be using passwords with ssh anyway. You should always be using keys, and encrypting those keys."
Those precautions don't do anything against an attacker who has control over the kernel. The moment the ssh client gets to decrypt those keys, a kernel-resident tool can grab them.

Last edited by fche; 05-03-2014 at 08:44 PM.
 
  


Reply

Tags
security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
9.9 installs easily but then login password fails Rexc Calculate 3 10-01-2009 12:42 PM
Two-Person Rule or Password Split puruntong Linux - Security 2 11-01-2008 05:36 AM
SSH tunneling: bypass (almost) any firewall easily michux Linux - Networking 1 08-23-2006 12:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration