lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CY1PR20MB0156B3C4F7054CAD56F7A8E1D0760@CY1PR20MB0156.namprd20.prod.outlook.com> Date: Fri, 27 Jan 2017 17:00:30 +0000 From: Daniel Elebash <danelebash@...mail.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Digital Ocean ssh key authentication security risk -- password authentication is re-enabled Regarding digitalocean.com cloud computing. PasswordAuthentication is reset to yes in /etc/ssh/sshd_config when using ssh key authentication given the following scenario: When creating a new droplet from a snapshot where ssh key authentication "PasswordAuthentication" in /etc/ssh/sshd_config was previosly set to no, "PasswordAuthentication" is reset to yes. I am not sure how common this scenario is but for me I often create a base snapshot that is pre-configured with firewall settings, sudo user, ssh key authentication, various apps, hardening etc. that I can then use when spinning up a new server so I don't have to start from scratch. By doing this I was unaware that PasswordAuthentication was automatically re-enabled and that these servers were no longer secure via ssh key authentication only, leaving them open to Brute Force attacks. Steps to reproduce: Tested using an Ubuntu 16.04 droplet image 1. Create a new Ubuntu 16.04 droplet and secure it using ssh key authentication 2. Edit /etc/ssh/sshd_config and set PasswordAuthentication no 3. Reload ssh 4. Verify that you can log in using key authentication only, trying via password should be rejected. 5. Create a snapshot of this droplet 6. Create a new droplet from this snapshot 7. Open /etc/ssh/sshd_config and PasswordAuthentication will be reset to yes You will now be able to log in via ssh using passwords instead of key authentication only. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists