could SystemTap be used by malicious person to steal ssh password easily ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
could SystemTap be used by malicious person to steal ssh password easily ?
Brendan Gregg has a sample dtrace script to show how the dtrace can be used to steal ssh password or passphrase easily, so people should be careful if someone is running a dtrace script on your system. For same reason I want to know whether the systemtap would also allow malicious person to easily steal ssh password, if so, is there a sample SystemTap program which shows that capability? Just need that to confirm whether we should prohibit user to use the tool on production box under normal situation.
Normally, systemtap is an administrative tool that gives the sysadmin (root)
full power to observe and affect kernel / userspace behaviour, including
indeed spying on ttys (see the ttyspy.stp example). You would definitely
not want to hand such power to everyone, just as you wouldn't hand out root
passwords to everyone.
Systemtap also has lower-privilege modes ("stapusr"), which are carefully
limited to allow people to only observe and affect their own userspace processes.
These limitations exclude the ability to spy on other users or on the kernel.
It takes a little one-time setup work for the sysadmin to get this sort of
operation enabled (because it relies on network services & cryptography); see
the privilege-related sections in stap(1) and stap-server(8), and the
README.unprivileged file in the systemtap source/binary distributions.
Normally, systemtap is an administrative tool that gives the sysadmin (root)
full power to observe and affect kernel / userspace behaviour, including
indeed spying on ttys (see the ttyspy.stp example). You would definitely
not want to hand such power to everyone, just as you wouldn't hand out root
passwords to everyone.
secure ssh not secure in face of kernel-resident monitoring
Quote:
Originally Posted by sundialsvcs
"you should never be using passwords with ssh anyway. You should always be using keys, and encrypting those keys."
Those precautions don't do anything against an attacker who has control over the kernel. The moment the ssh client gets to decrypt those keys, a kernel-resident tool can grab them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.