Re: Bootstrapping

[Mark . Burgess]

On 18 Feb, Eric Sorenson wrote:
> On Wed, 18 Feb 2004 Mark.Burgess@iu.hio.no wrote:
> 
>> NOw this is asking for a flame. Why do people say things
>> like this? What trust model would you trust?
>> If you don't trust the cfengine trust model then
>> you do not trust the secure shell trust model either, because
>> it is the same only less strict. The cfengine trust model is really
>> quite strict compared to many. Is this just a thoughtless
>> comment or do you have an actual criticism to make of it?
> 
> I'm sorry, it wasn't intended as a personal attack or anything.
> 
> I'm just saying, there are published remote-root exploits 
> that totally circumvent the access checks, public keys, DNS domain
> restrictions, etc by doing something unexpected, and so I will
> not bet the farm on them. 


I do not take this personally, but I do object to the remarks because
they can confuse and mislead people. There was a remote root
exploit in an earlier version due to a typographical omission.
That was corrected a long time ago and it was agreed then that the
possibility for further exploits is "probably" zero.
Such exploits are not "generaly possible" as you imply. Cfengine has
a far safer architecture today than most other client-server
applications, by design. If you scaremonger with comments like this
it will make people use bad solutions which really are a security
risk.


> You are right that I don't trust ssh either, it is better than
> telnet and now that it has Privilege Separation it's better than
> it used to be -- but I still put packet filters in front of the
> ssh ports for hosts that I care about. The Bug-O-The-Week club
> for OpenSSH last year killed any love I had for it.
> 
> I trust my border routers not to let any traffic to/from tcp/5308
> through. I trust my iptables firewall not to let unestablished traffic 
> inbound to my LAN from the outside world.
> 
> There is a fundamental criticism too, that I can best explain
> with an ssh example. OpenSSH complains when you first receive
> a key from a host you've not previously talked to before, requiring
> you to type 'yes' at
> 
>     The authenticity of host 'weeble (10.0.0.2)' can't be established.
>     RSA key fingerprint is 3c:a9:1c:c6:2f:e6:f9:6d:77:54:98:1a:71:44:54:4e.
>     Are you sure you want to continue connecting (yes/no)? 
> 
> Which of course, you type "yes" to, no matter what, because you
> want to connect to the host, or you wouldn't have ssh'ed to it.
> 
> Then if weeble changes due to a reinstallation, you get 
> 
>     Someone could be eavesdropping on you right now (man-in-the-middle 
> attack)!
>     It is also possible that the RSA host key has just been changed.
>     The fingerprint for the RSA key sent by the remote host is
>     3c:a9:1c:c6:2f:e6:f9:6d:77:54:98:1a:71:44:54:4e.
>     Please contact your system administrator.
>     Add correct host key in /home/eric/.ssh/known_hosts to get rid of this 
> message.
>     Offending key in /home/eric/.ssh/known_hosts:684
>     RSA host key for weeble has changed and you have requested strict 
> checking.
>     Host key verification failed.
> 
> But it's almost never really a man in the middle attack, it's
> a pain in the ass attack because you can't connect where you want,
> and you have to edit my known_hosts file. Which, even on the %.001
> chance that it actually IS a MITM attack, **You will probably do**
> because you want to get to that machine.



Security is the opposite of convenience. That of course is the point.
What you say is true enough, but that is not the trust model you
are criticising. You are saying that people tend to abuse the mechanisms.
This, of course, they can do with any mechanism.


> Cfengine has the same problem, except when the host key changes
> you have to track down why this one machine can't get updates and
> the users are complaining.  
> 
> Now the above may be a criticism of user behavior more than anything, but I'm
> saying that if someone is generating themselves a valid-but-untrusted ppkey 
> and
> posing as a legitimate cfengine client, and they can get some information they
> shouldn't have through that means, then you have much bigger problems than you
> realize and rejecting their key isn't going to help much.
> 

First of all, if one reads the documentation properly and understands
the trust issues (i.e. not accepting keys on trust from just anyone at any time)
there is no safer way to protect the system. Of course you can deny traffic
with your router and if you control your router that is fine -- all extra
precautions are desirable. But that does not imply a flaw in cfengine.
The problem you describe applies to all software. 

I do not mean to knock you down on the list, but it is very important
that personal frustrations do not cloud the facts. That could confuse
less experienced users/readers. 

Mark

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~