Re: sudo configuration !ttytickets?
On Fri, 13 Sep 2013 12:44:45 +0200, Donovan Watteau wrote: Am I right thinking that sudo in base is still vulnerable to CVE-2013-1776 for those who enable tty_tickets? Yes, but the situation is no worse than with tty_tickets disabled. If you are really worried about this you can simply disable the time stamp files by setting timestamp_timeout to 0. This makes sudo a lot less convenient to use though. - todd
Re: sudo configuration !ttytickets?
On 09/12/13 02:59, Michael W. Lucas wrote: Hi, I've noticed that the sudo on OpenBSD seems to have !ttytickets set by default. In other words, I authenticate sudo once on, say, ttyp4, and all of my login sessions on all my other ttyp* have authenticated to sudo. This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. It seems insecure. Can anyone enlighten me as to the thinking here? Thanks, ==ml FWIW, I tend to append this to /etc/sudoers: - - - - # Local settings Defaultspassprompt=Sudo password (%u@%h):, \ tty_tickets, \ passwd_timeout=0, \ timestamp_timeout=60 %wheel ALL=(ALL:ALL) SETENV: ALL - - - - Meaning I do use the 'per-tty' sudo ticket, extending the timeout to 60 minutes. Some issues remain though; - Making sure to 'sudo -k' on leaving the shell (or, rather, tty). 'trap' helps here, at least a bit, but I'm not sure I catch 100% of the cases. - If you don't have a tty (ssh -T $HOST sudo $whatever), calling it again won't prompt for a password. (sudo -k $whatever would, however) I'm sure there are more potential flaws with the setup. Call it security by obscurity if you please, but it makes me feel a tad better about upping the timeout. The passprompt change is really helpful at times though, not to be mistaken for an ssh password, a sudo password on another machine or sth else. /Alexander
Re: sudo configuration !ttytickets?
On Thu, 12 Sep 2013 13:43:21 -0700, Todd C. Miller wrote: On Wed, 11 Sep 2013 20:59:08 -0400, Michael W. Lucas wrote: I've noticed that the sudo on OpenBSD seems to have !ttytickets set by default. In other words, I authenticate sudo once on, say, ttyp4, and all of my login sessions on all my other ttyp* have authenticated to sudo. This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. It's quite simple really, the version of sudo in OpenBSD (a patched version of 1.7.2p8) predates the change use tty_tickets by default. I've always felt that tty_tickets gives a false sense of security, though it is somewhat improved in more recent sudo versions where the tty is determined via sysctl() rather than by ttyname(). - todd Hi, Am I right thinking that sudo in base is still vulnerable to CVE-2013-1776 for those who enable tty_tickets? BTW, I was thinking about the following use case: PermitRootLogin set to no, and a simple user who can only use public key SSH authentication. Defaults rootpw is set, too. Then, I'd use sudo when I'd need it (as it's suggested to use SUDO=/usr/bin/sudo for ports, etc.). Then, let's say someone manages to get the private key of my user (that's already a big problem of course, but it's an unprivileged user who can't sudo without providing root's password). If the attacker logs in while the timestamp timeout is still valid he can do whatever he wants with sudo without typing any password, right? So I could set tty_tickets, but if it can't be trusted too much, shouldn't su(1) be used instead for this use case? (or sudo with a 0 timestamp timeout, but then I'd rather use su.) I hope this question isn't too stupid, but I'd rather ask. Some parts of the FAQ suggest setting up sudo, but with no particular setup, and the one I was thinking about doesn't look good. Thanks.
Re: sudo configuration !ttytickets?
On 09/13/13 06:44, Donovan Watteau wrote: On Thu, 12 Sep 2013 13:43:21 -0700, Todd C. Miller wrote: On Wed, 11 Sep 2013 20:59:08 -0400, Michael W. Lucas wrote: I've noticed that the sudo on OpenBSD seems to have !ttytickets set by default. In other words, I authenticate sudo once on, say, ttyp4, and all of my login sessions on all my other ttyp* have authenticated to sudo. This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. It's quite simple really, the version of sudo in OpenBSD (a patched version of 1.7.2p8) predates the change use tty_tickets by default. I've always felt that tty_tickets gives a false sense of security, though it is somewhat improved in more recent sudo versions where the tty is determined via sysctl() rather than by ttyname(). - todd Hi, Am I right thinking that sudo in base is still vulnerable to CVE-2013-1776 for those who enable tty_tickets? BTW, I was thinking about the following use case: PermitRootLogin set to no, and a simple user who can only use public key SSH authentication. Defaults rootpw is set, too. Then, I'd use sudo when I'd need it (as it's suggested to use SUDO=/usr/bin/sudo for ports, etc.). Then, let's say someone manages to get the private key of my user (that's already a big problem of course, but it's an unprivileged user who can't sudo without providing root's password). non-root access to a machine is quite useful by itself, don't forget that. They may not be able to alter your machine, but it is still a useful tool to an attacker. If the attacker logs in while the timestamp timeout is still valid he can do whatever he wants with sudo without typing any password, right? So I could set tty_tickets, but if it can't be trusted too much, shouldn't su(1) be used instead for this use case? (or sudo with a 0 timestamp timeout, but then I'd rather use su.) I hope this question isn't too stupid, but I'd rather ask. Some parts of the FAQ suggest setting up sudo, but with no particular setup, and the one I was thinking about doesn't look good. Thanks. Your goal should probably be to be keeping inappropriate users out of your system; making things clumsy after they are in is not really the point, and could lead to poor administration. There is a reason there are options -- there is no one right answer for all uses. Look at your realistic threats, and decide what measure of risks and benefits you want. su wins in simplicity, but does mandate a shared password. If you are the only admin, that's not an issue. Nick.
Re: sudo configuration !ttytickets?
On 09/13/13, Nick Holland wrote: On 09/13/13 06:44, Donovan Watteau wrote: Hi, Am I right thinking that sudo in base is still vulnerable to CVE-2013-1776 for those who enable tty_tickets? BTW, I was thinking about the following use case: PermitRootLogin set to no, and a simple user who can only use public key SSH authentication. Defaults rootpw is set, too. Then, I'd use sudo when I'd need it (as it's suggested to use SUDO=/usr/bin/sudo for ports, etc.). Then, let's say someone manages to get the private key of my user (that's already a big problem of course, but it's an unprivileged user who can't sudo without providing root's password). non-root access to a machine is quite useful by itself, don't forget that. They may not be able to alter your machine, but it is still a useful tool to an attacker. If the attacker logs in while the timestamp timeout is still valid he can do whatever he wants with sudo without typing any password, right? So I could set tty_tickets, but if it can't be trusted too much, shouldn't su(1) be used instead for this use case? (or sudo with a 0 timestamp timeout, but then I'd rather use su.) I hope this question isn't too stupid, but I'd rather ask. Some parts of the FAQ suggest setting up sudo, but with no particular setup, and the one I was thinking about doesn't look good. Thanks. Your goal should probably be to be keeping inappropriate users out of your system; making things clumsy after they are in is not really the point, and could lead to poor administration. I was just trying to follow the mindset of not assuming that things will not fail, and instead building things so that if there's any problem it has less impact. Of course, a stolen private key is probably too much of an enormous fail in the first place. There is a reason there are options -- there is no one right answer for all uses. Look at your realistic threats, and decide what measure of risks and benefits you want. su wins in simplicity, but does mandate a shared password. If you are the only admin, that's not an issue. All right, so I think su better suits my use case. Thank you very much.
Re: sudo configuration !ttytickets?
On 2013-09-11 19:59, Michael W. Lucas wrote: This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. It seems insecure. Can anyone enlighten me as to the thinking here? I can't say whether this is the thinking of the OpenBSD developers, but I have seen some concerns over the years that tty_tickets gives a false sense of security. -- Matthew Weigel hacker unique idempot . ent
Re: sudo configuration !ttytickets?
On Thu, Sep 12, 2013 at 10:27, Matthew Weigel wrote: On 2013-09-11 19:59, Michael W. Lucas wrote: This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. It seems insecure. Can anyone enlighten me as to the thinking here? I can't say whether this is the thinking of the OpenBSD developers, but I have seen some concerns over the years that tty_tickets gives a false sense of security. This is technically true. If you used sudo on any tty (ttyA), somebody at a different tty (ttyB) but logged in as the same uid, can simply ptrace (gdb) the ttyA sh and tell it to run sudo. This is a step more complicated than somebody just walking over to your keyboard while you're getting coffee, but it's not particularly difficult or implausible. uid is the main means of implementing isolation in unix. Trying to isolate two processes with the same uid is, imo, a generally fruitless endeavor.
Re: sudo configuration !ttytickets?
On Wed, Sep 11, 2013 at 10:50:19PM -0600, Andy Bradford wrote: Thus said Michael W. Lucas on Wed, 11 Sep 2013 20:59:08 -0400: This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. Is sudo enabled for any non-root users by default? Sudo isn't enabled for non-root users by default. It just seems a really strange default choice, one that nobody else shares. But I wouldn't be shocked if there's a really good reason for the !ttytickets default. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code ILUVMICHAEL gets you 30% off helps me.
Re: sudo configuration !ttytickets?
On Wed, 11 Sep 2013 20:59:08 -0400, Michael W. Lucas wrote: I've noticed that the sudo on OpenBSD seems to have !ttytickets set by default. In other words, I authenticate sudo once on, say, ttyp4, and all of my login sessions on all my other ttyp* have authenticated to sudo. This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. It's quite simple really, the version of sudo in OpenBSD (a patched version of 1.7.2p8) predates the change use tty_tickets by default. I've always felt that tty_tickets gives a false sense of security, though it is somewhat improved in more recent sudo versions where the tty is determined via sysctl() rather than by ttyname(). - todd
Re: sudo configuration !ttytickets?
I can't say whether this is the thinking of the OpenBSD developers, but I have seen some concerns over the years that tty_tickets gives a false sense of security. Not to mention the annoyance. Miod
Re: sudo configuration !ttytickets?
Thus said Michael W. Lucas on Wed, 11 Sep 2013 20:59:08 -0400: This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. Is sudo enabled for any non-root users by default? Andy -- TAI64 timestamp: 40005231482b
