hngopher.com

       [HN Gopher] Zero Effort Private Key Compromise: Abusing SSH-Agen...
       ___________________________________________________________________
        
       Zero Effort Private Key Compromise: Abusing SSH-Agent for Lateral
       Movement
        
       Author : warrenm
       Score  : 18 points
       Date   : 2023-09-15 19:58 UTC (3 hours ago)
        
 (HTM) web link (grahamhelton.com)
 (TXT) w3m dump (grahamhelton.com)
        
       | batch12 wrote:
       | This article helped me evolve my understanding of the impact of
       | the recent openssh vuln, CVE-2023-38408. Gaining RCE on the
       | source system is more valuable if you consider that the
       | vulnerable machine is likely using ssh-agent to connect to other
       | hosts, which makes pivoting potentially much easier.
        
       | fn-mote wrote:
       | > So, is this a vulnerability? Well no, not exactly [...]
       | 
       | Connecting to a compromised machine with `ssh -A` (agent
       | forwarding) lets the attacker use your credentials for ssh
       | sessions elsewhere. It's almost explained in the man page.
       | 
       | Avoid the agent forwarding and you are fine.
        
       | g1a55er wrote:
       | Good find! I was always curious how this worked.
       | 
       | I'm a big fan of tools like secretive[1] that can help solve this
       | problem by using biometrics to shift the UX/security trade-off
       | and thus make it feasible to always require some kind of
       | authentication to sign a token with a key.
       | 
       | I'm not aware of any tools that do the same for Linux, and a
       | quick Google search doesn't turn up much[2]. It does look like
       | you can at least get a notification[3], though.
       | 
       | This could provide another layer of protection on the user's
       | endpoint device in addition the network monitoring called out in
       | the article. Defense in depth, and all that.
       | 
       | [1] https://github.com/maxgoedjen/secretive
       | 
       | [2] https://unix.stackexchange.com/questions/705144/unlock-an-
       | ss...
       | 
       | [3] https://www.insecure.ws/2013/09/25/ssh-agent-
       | notification.ht...
        
       | Canada wrote:
       | OpenSSH 8.9 introduced a restriction feature to mitigate this.
       | 
       | https://www.openssh.com/agent-restrict.html
        
       ___________________________________________________________________
       (page generated 2023-09-15 23:00 UTC)