Re: Openssh use enumeration

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, Jul 21, 2016 at 2:00 PM, Morham Anthelleron
<opensshdev@xxxxxxxxxxx> wrote:
[...]
> Since OpenSSH already makes use of an unprivileged user for privsep, why not
> take the next step of setting a (long) random password for it using the
> system's normal shadow password routines?

Assuming you mean putpwent(): that requires an encrypted string to put
in pw_passwd putting us right back where we started.

> If one is concerned about an accidentally "successful" login, you could
> perturb the supplied passphrase prior to passing it down to the authentication
> library to ensure a successful entry is impossible.
>
> Alternately, a second "dummy" account that's not used at all by the system
> which is a chroot jail with nothing in it with a random password?

If we could reliably come up with the encrypted string to put in that
dummy account we wouldn't need the dummy account.

Actually setting a password is quite system dependent.  exec'ing
/bin/passwd in most cases needs a controlling terminal although some
have flags for reading form stdin.   Using pam_chauthtok() would
require making assumptions about what the prompts were.  Some systems
enforce complexity (as opposed to entropy) requirements.  And then
you'd have an account with a password that you're not quite sure where
it came from.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux