[HN Gopher] Zero Effort Private Key Compromise: Abusing SSH-Agen... ___________________________________________________________________ Zero Effort Private Key Compromise: Abusing SSH-Agent for Lateral Movement Author : warrenm Score : 18 points Date : 2023-09-15 19:58 UTC (3 hours ago) (HTM) web link (grahamhelton.com) (TXT) w3m dump (grahamhelton.com) | batch12 wrote: | This article helped me evolve my understanding of the impact of | the recent openssh vuln, CVE-2023-38408. Gaining RCE on the | source system is more valuable if you consider that the | vulnerable machine is likely using ssh-agent to connect to other | hosts, which makes pivoting potentially much easier. | fn-mote wrote: | > So, is this a vulnerability? Well no, not exactly [...] | | Connecting to a compromised machine with `ssh -A` (agent | forwarding) lets the attacker use your credentials for ssh | sessions elsewhere. It's almost explained in the man page. | | Avoid the agent forwarding and you are fine. | g1a55er wrote: | Good find! I was always curious how this worked. | | I'm a big fan of tools like secretive[1] that can help solve this | problem by using biometrics to shift the UX/security trade-off | and thus make it feasible to always require some kind of | authentication to sign a token with a key. | | I'm not aware of any tools that do the same for Linux, and a | quick Google search doesn't turn up much[2]. It does look like | you can at least get a notification[3], though. | | This could provide another layer of protection on the user's | endpoint device in addition the network monitoring called out in | the article. Defense in depth, and all that. | | [1] https://github.com/maxgoedjen/secretive | | [2] https://unix.stackexchange.com/questions/705144/unlock-an- | ss... | | [3] https://www.insecure.ws/2013/09/25/ssh-agent- | notification.ht... | Canada wrote: | OpenSSH 8.9 introduced a restriction feature to mitigate this. | | https://www.openssh.com/agent-restrict.html ___________________________________________________________________ (page generated 2023-09-15 23:00 UTC)