On 2002.09.16 at 17:48:42 -0400, Andrew Danforth wrote: > During authentication, OpenSSH 3.4p1 with privsep enabled passes the > cleartext password from the main process to the privsep child using a > pipe. Using strace or truss, root can see the user's plaintext password > flying by. I observed this behavior from OpenSSH 3.4p1 built using GCC on > Solaris 2.8 and the current Debian OpenSSH 3.4p1 package. > > Theo and Markus tell me that this is not an issue. Theo says that you > cannot prevent root from determining a user's password. I don't disagree, > but asked why OpenBSD bothers to encrypt user passwords at all if that is > his attitude. Because these passwords are stored. That is, if /etc/shadow is stealed by malicious user because of administrator's mistake, it is a challenge for that user to get passwords from their encrypted state. This is not an issue for temporary objects, that's why pipes are considered secure. > The level of effort to determine cleartext passwords, for even the most > inexperienced Unix administrator, is almost zero given the above. I > realize that no matter how you slice it, it will be possible for root to > grab the password from wherever it's stored in memory. Or recompile sshd > to log the password, or any number of other ways. However, the methods I > just mentioned all require someone with significantly more know how than: > > truss -fp `cat /var/run/sshd.pid` It is also trivial to read process' memory and so on. -- Artem Chuprina <ran@ran.pp.ru> FIDO: 2:5020/122.256
