Re: Bootstrapping

[Eric Sorenson]

On Wed, 18 Feb 2004 Mark.Burgess@iu.hio.no wrote:

> NOw this is asking for a flame. Why do people say things
> like this? What trust model would you trust?
> If you don't trust the cfengine trust model then
> you do not trust the secure shell trust model either, because
> it is the same only less strict. The cfengine trust model is really
> quite strict compared to many. Is this just a thoughtless
> comment or do you have an actual criticism to make of it?

I'm sorry, it wasn't intended as a personal attack or anything.

I'm just saying, there are published remote-root exploits 
that totally circumvent the access checks, public keys, DNS domain
restrictions, etc by doing something unexpected, and so I will
not bet the farm on them. 

You are right that I don't trust ssh either, it is better than
telnet and now that it has Privilege Separation it's better than
it used to be -- but I still put packet filters in front of the
ssh ports for hosts that I care about. The Bug-O-The-Week club
for OpenSSH last year killed any love I had for it.

I trust my border routers not to let any traffic to/from tcp/5308
through. I trust my iptables firewall not to let unestablished traffic 
inbound to my LAN from the outside world.

There is a fundamental criticism too, that I can best explain
with an ssh example. OpenSSH complains when you first receive
a key from a host you've not previously talked to before, requiring
you to type 'yes' at

    The authenticity of host 'weeble (10.0.0.2)' can't be established.
    RSA key fingerprint is 3c:a9:1c:c6:2f:e6:f9:6d:77:54:98:1a:71:44:54:4e.
    Are you sure you want to continue connecting (yes/no)? 

Which of course, you type "yes" to, no matter what, because you
want to connect to the host, or you wouldn't have ssh'ed to it.

Then if weeble changes due to a reinstallation, you get 

    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that the RSA host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    3c:a9:1c:c6:2f:e6:f9:6d:77:54:98:1a:71:44:54:4e.
    Please contact your system administrator.
    Add correct host key in /home/eric/.ssh/known_hosts to get rid of this 
message.
    Offending key in /home/eric/.ssh/known_hosts:684
    RSA host key for weeble has changed and you have requested strict checking.
    Host key verification failed.

But it's almost never really a man in the middle attack, it's
a pain in the ass attack because you can't connect where you want,
and you have to edit my known_hosts file. Which, even on the %.001
chance that it actually IS a MITM attack, **You will probably do**
because you want to get to that machine.

Cfengine has the same problem, except when the host key changes
you have to track down why this one machine can't get updates and
the users are complaining.  

Now the above may be a criticism of user behavior more than anything, but I'm
saying that if someone is generating themselves a valid-but-untrusted ppkey and
posing as a legitimate cfengine client, and they can get some information they
shouldn't have through that means, then you have much bigger problems than you
realize and rejecting their key isn't going to help much.

-- 

    Eric Sorenson - EXPLOSIVE Networking - http://explosive.net