Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180826120058.GA7071@openwall.com>
Date: Sun, 26 Aug 2018 14:00:58 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: About OpenSSH "user enumeration" / CVE-2018-15473

On Sun, Aug 26, 2018 at 06:04:50PM +1000, Damien Miller wrote:
> On Sat, 25 Aug 2018, Solar Designer wrote:
> 
> > This could mean an extra getpwnam(3) call, which is a slightly greater
> > timing leak than what's present in one call. That may be further
> > mitigated by always doing two calls. Of course, this won't be anywhere
> > near timing-safe anyway.
> >
> > Now, it can be tricky to pick a specific fallback username in
> > OpenSSH-portable that we'd be OK with all non-existent usernames to
> > behave similarly to. "root" may somewhat likely have unusual password
> > hash (like it historically did on OpenBSD); "nobody" likely has its
> > password locked (but maybe that's OK - it is in fact common for SSH
> > users to have only public keys setup, and no passwords). Maybe there
> > should be a way to override this dummy username in sshd_config.
> 
> That sounds like a fair amount of complexity in return for scant
> benefit:

Thank you for sharing your opinion.

To me, it sounds like greater complexity of the resulting code, but it's
also a simpler change (higher level, easier to reason about) than your
previously discussed commit.  (And it avoids the need for further
reviews/changes dealing with maybe remaining worse-than-timing behavior
differences for existing vs. non-existent usernames, except for users
with non-default authentication settings - e.g., with authorized_keys
files or on DenyUsers.)

> at best you dodge a few (IMO uninteresting) bugs, but now you
> are guaranteed to have all your authz code exposed to a the attacker.

This sounds like a misunderstanding.  With the approach I suggested,
no extra pre-existing code would be exposed to any attacker (only very
few newly added lines of code would be), because all of that code would
have been reachable under the fallback username anyway.

> Moreover, using a "real fake" account gives a timing / system behaviour
> baseline too.

I'm not sure if that's what you meant, but yes it could be possible to
see that the response time for non-existent users is nearly the same,
whereas for other usernames it would vary slightly.  This is similar to
other (currently possible) attacks on getpwnam(3) not being timing-safe.

Your recent "global 5ms minimum plus an additional per-user 0-4ms delay
derived from a host secret" time for failed authentication should help
mitigate this.  [A further (yet still imperfect) mitigation would be to
replace the nanosleep() with a busy wait (which would be a closer match
to a system function taking longer to do its work, but still not exactly
the same in terms of effect e.g. on concurrent authentication attempts).
I am not sure if this further imperfect improvement is a good trade-off.
With nanosleep(), we conserve server resources and energy.]

> It might be harder to discern, but techniques for making
> remote observations of subtle system side-channels are scarily well-
> developed, and I'm sure that it would be pretty easy to spot if people
> applied them.

Right.  It's unrealistic to fully prevent such attacks given the
existing non-timing-safe system interfaces.

Anyway, I don't insist on any specific approach (nor would my preference
matter all that much), especially now that you've already made relevant
changes in the way you did.  I merely wanted to point out that the
attack surface increase was not certain (maybe that code was already
exposed under other usernames, also pre-authentication) and could have
been avoided with greater confidence using that other approach.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.