Is administrators_authorized_keys a security problem? #1324
Comments
|
Reason behind this change: You could otherwise do the following in a non-elevated session, when sshd is running: This would bypass Windows UAC and lead to privilege escalation. How can we solve this? Where could it be? Should we separate out authorized_keys for different users in Administrators group? and effectively login as any user I wish. So, there is no real security benefit in separating authorized_keys for users in Administrators group. With an intent to keep things simple, we decided to go with a single file. If you wish, you could override it with something like this: |
|
So does this mean for a user in the Administrators group, it's authorized_keys file needs to be in Isn't the whole point of the LocalAccountTokenFilterPolicy the usual way to control this? Why would SSH be different when you could also say the same thing about a loopback WinRM command, or anything else that does a network logon. This is a bit concerning as you now have different behaviour from what users may expect which is to have this file in the user's * See the below for references
This is saying UAC is a defence in depth and not a security boundary |
|
It's my understanding that UAC is not a security boundary (so technically no privilege escalation is occuring). However I believe separate accounts are supposed to be a security boundary and out of the box, this configuration would allow any administrator to log in as any other administrator with no logging or auditing that it occurred. This seems to violate that security boundary. The new default configuration is the equivalent of just having everyone in an organization log in using a shared admin account. Shipping with the extra %u in the file by default would preserve the expected security boundary of using separate accounts (and allow filesystem auditing of administrators changing other user's authorized_keys files) while still mitigating the UAC problem. |
An admin can do this anyway if they have enough privileges set (the default set is enough). If you have the The key part here is that you don't have delegation capabilities so you cannot interact with network resources as that user unless you have the password. What I'm concerned about is the behaviour change for admin accounts that doesn't really achieve anything. This leads to fragmentation , confusion for end users, and adds complexity. |
|
I realize that as an administrator you can eventually accomplish anything, but calling a bunch of APIs to take over someone's account and typing "ssh otheruser@server" are on totally different levels. If you had two people with similar names you could accidentally end up logged in as someone else because of a typo, and that seems like we've set the bar a bit too low. |
|
You would still need to set up the key for that user under that directory. It's not one shared key just the location of the key is different. E.g there would be a key for Administrator under |
|
The configuration that is shipping now is a single administrators_authorized_keys for everyone in the Administrators group. I would be fine with the version that includes %u. |
|
Oh I did not realise that I thought the default was with |
|
Feedback taken. We'll consider a change in the next release. For the time being, please override. Also bear in mind the implications with domain accounts (%u would resolve to domain\user). |
|
@manojampalam did you end up making a decision on this, I see the next release is out and still contains this entry. |
|
Not yet. Contemplating on making yet another breaking change. The only drawback of the current setting is a potential "accidental log in as someone else because of a typo". In its defence, the current setting sets a clear expectation that all admins on a machine are equal. One can easily impersonate other, irrespetive of how the this path pans out. Its also easy to use and manage since there is no user specific variability in its path. |
|
Thanks for the update. My main objections to it is that it's a breaking change in the first place and a change in the expected behaviour for SSH in POSIX. We all know that by default an SSH key should be located in |
With a shared authorized_keys file you also cannot audit that one admin is editing another admin's authorized_keys file. Anyone setting up an SSH key is implicitly also enabling a backdoor login as any other admin. This would be the equivalent of me resetting my password and then being able to log in as any other user in AD. If the stance is that "any admin can [eventually] impersonate any other admin, so let's just enable it by default", then why even allow individual user accounts to be added to the administrators group? Just create a default "administrator" user and make everyone share the password. |
|
@gpduck I think what he is saying is once you can log in as 1 admin on the host you can then impersonate, or even logon as any other user (including domain accounts) on that host without knowing their password. You cannot authenticate over the network as that user but you can be sure I can pretend to be any account I want on that host. So sharing the key doesn't open any new security holes, maybe making the audit logs a bit more useless though and somewhat easier to execute. I do agree that it shouldn't be shared though. |
|
I understand that once an admin logs in, they can do any number of terrible things to a system. But do we not setup auditing, PowerShell logging, malware detection, and sysmon, etc to try and detect these behaviors? Do we not audit for password resets and question why someone reset someone else's password? Do we not audit for local account creation because we can't track who is using a generic local account? If I see UserA log in and edit UserB's authorized_hosts file, I know something is not right. If the system is configured for a shared authorized_hosts file there is no difference between setting up SSH and setting up a backdoor into someone else's account. With the shared file configuration you have 2 choices: no one can ever use SSH keys OR there is absolutely zero traceability for anything ever. |
|
Something to do with windows 7 isn't quite explained by this thread: Windows 10Works by commenting out or removing the "Match group ..." lines from the config Windows 7This thread is very confusing and I can't figure out how to fix the problem. I added to the configuration: I copied my authorized_keys to: I removed the privileges for "authenticated users" and the extended debugging still says |
|
@cdeadspine What version are you running? Reason I ask is because an issue related to using multiple matchgroup lines was fixed in this latest version. Might be a separate issue, but thought I'd mention it. |
|
I don't really see how this: ...offers better security than just commenting/removing this: From my tests, if you SSH as a normal user, you'll always get an 'Access Denied' if you want to stop/start a service or add/delete a registry key for example. As far as I can see, there's no way to escalate privileges if you SSH as a non-admin user. If you SSH as an admin user though, no matter the above sshd_config setup (whether the key is under %programdata% or %userprofile%), you're then able to stop/start a service, add a registry key, etc... without UAC control anyway. Lastly, I agree that the default sshd_config setup is generally really insecure (depending on use, of course): The OpenSSH event logs still show which key was used, but as noticed previously, this config offers the same security as multiple users sharing the same admin account (since any key in there can log in to any admin account)... To conclude, I just don't see the point of these last 2 lines in sshd_config, except if we don't want any admin to log in through SSH - but couldn't this be made simpler? This default configuration just adds confusion which took me days to figure out. |
|
Totally agree on this. Rip it out. I don't think it adds value just is confusing. If I have admin shell on a box I will own your host even with confusing rules like this. |
|
I found it expedient to comment out the lines in sshd_config that enable this feature. We're running server core. There's no point in defending against UAC elevation. |
|
I am of the same opinion as jborean93 and I think this is a clear identity mismatch when a local administrator on the machine running the OpenSSH server can edit the I understand, that this must be initiated by a local administrator but imho it should not be able to authenticate locally as a domain administrator on the OpenSSH server this way. It is quite usual to have developers being local administrators on domain member machines so I see some implications coming up here. Also everything can be undone just by removing the public key from the I opened a vulnerability report with MSRC to clarify the problem and to maybe force some changes here. |
|
Hello all, good discussion so far. Please let me explain in detail why I too think PR 369 was a mistake and must be reconsidered. It is my understanding that the concern that motivated the change was the following:
I tested this and it is true. ssh-ing to localhost as an administrator from an unelevated shell will land you in an elevated shell. Moving the ssh-keys for administrative users to a location that one cannot write to from a non-elevated process does indeed Something else I have not seen mentioned in this thread before is that the Windows OpenSSH server allows password authentication by default, so any administrator user can simply Summarizing so far:
So really, nothing changed. There was never a security-concern with the original configuration in the first place and there is none now. Administrators are administrators and they can do anything, with or without However, let's consider some of the downsides of the current configuration with
So please, reconsider this issue - especially with the glaring problems of the current implementation such as the localization bug, this is far from something that can be shrugged off as "wontfix - by design". Let's keep the discussion open. Possible suggestions:
Thanks! |
|
This is definitely a buggy default setting. !!! That fails in a multi language setup. !!! I just lost nearly half a day to understand that on my German windows machines the match rule needs to be Like @jantari 's suggestion of: Change the current Match rule to something like this: This would be a much better and windows language install agnostic setting and should be the default, not a per language adapted string. |
Thanks a lot for this! It probably saved me a lot of time. And also make sure your administrators_authorized_keys is UTF-8! In my first attempt it was UCS-2 LE BOM. |
|
Anyone know what the resolution to this issue is? I stumbled on this thread developing an OpenSSH PSRemoting implementation on Windows and this issue is marked closed without any indication as to the proper resolution. It seems to work on 7.7.2.2 by commenting out |
|
@mcx808 : Since the actual implementation is those lines telling sshd to look elsewhere for authorized_keys for administrators, commenting them out or deleting them makes an end of the problem. |
|
It's by design. |
|
So, here's another scenario that proves problematic. SSH on Windows is moderately non-standard as it is, so non-standard behavior FOR SSH at that point just amplifies the issues with adding it into managing systems. Because of this configuration decision, removing keys for people when they're being removed from an administrative role is a crapshoot. Deliberate, premeditated, attempts to maintain access (creating accounts, scripts/tasks/etc that put a user back into the Admins group, resetting passwords, tampering with per user keyfiles, etc) are one thing, and tend to stand out. Designing something into administrative tooling that hands that out like candy, with the added benefit of providing NO unique identification, is insane. Any administrative user can throw a key in that file and then impersonate any other into perpetuity WITHOUT their own account continuing to have administrative rights in any other way (including still being present or active in ANY way). Keys in that file are NOT uniquely identifiable to a particular user, since it's a shared list for all admin accounts (and the comment string tagging them with a name does not constitute a valid identity). |
|
So I've got to ask. For the people who have voiced security issues with this (I agree with them), have the security concerns been enough to dissuade you from using OpenSSH in production or have you found changing the defaults to be an acceptable compromise? To summarize the conversation thus far, we have multi user authentication with a single key for anyone in the admin group, which includes domain admins, as default behavior. Part of the reasoning on this is that admin users can do anything on the box so why restrict it. On the other hand, it enables easy user impersonation out of the box which could make it hard for auditing tools to detect anomalous/malicious behaviour. Fortunately, impersonated accounts can't get access to networked resources without knowing the user's password. Mitigations:
|
|
I have applied the workaround by having the script that enables OpenSSH PSRemoting also comments out the TBH I don't know why AdminAuthKeys exists. I get that an admin could do anything anyway but the paradigm for SSH user keys is already well established on all other systems that use it. I think it should be removed, if not certainly disabled by default. |
|
@jantari a key thing is missing from this analysis:
That one extra step makes the difference between any unprivileged program that you ever run from getting full admin privileges. If you never take this extra step and leave these weird Windows SSH customizations as-is, then no program that you install can ever run as admin without your permissions. If you take this step, or if you disable that SSH setting, then any and every program can run as admin without your permission. Better hope you audit every possible execution path through every bit of software on your system for any mistake which could be abused by a hacker to execute code - if not, then this weird SSH config might be the only thing that stands between a hacker and admin privileges. |
|
@mentalisttraceur : How about run with an actual separate account for admin. Right now, out of the box, UAC is a speed bump bypassed by about five thousand lines of code. (If you go drag the slider back to high it will go back to being ridiculous but also hard to bypass.) But if elevate to admin is run as a separate user, no bypass. |
|
Can I just add as well, that OpenSSH on windows seems to be the preferred control plane for Powershell Remoting where Kerberos is not in use. Since WinRM must be configured with https (and all the hassle with self-signed certs) otherwise for transport security. SSH already solves this with it's long history of server management and it's the only way of utilising PSRemoting on Linux (and macOS) so it's easier to manage unified SSH access via keys in estates with mixed platforms. I don't think introducing all this unexpected behaviour as default is going to help with OpenSSH adoption. |
|
@joshudson I mean yeah, if I were securing a Windows system I'd be inclined to seriously consider having a separate admin user and normally running as a non-admin user, kinda like we do with the root user on UNIX-likes. But for the people who aren't doing that, the risk of a hacker getting "about five thousand lines of code" (or the compiled binary of that code) onto a target machine, and then executing it... well that seems like a much larger burden for an attacker than
Fewer programs are so buggy as to be made to download and execute arbitrary code, more programs are buggy enough to f.e. catenate paths when downloading without checking for any |
More correctly, it makes the difference between any unprivileged program that any random user that happens to have admin runs (and doesn't just reflexively hit "yes" on the UAC prompt, which doesn't apply to the vast majority of users I've met) on a system that happens to have the ssh service also deployed and running from getting admin privileges. I would gamble the vast majority of people in the conversation here have their public keys already in authorized keys, whether in their profile or in the 'delightful' centralized, shared, file. If their private keys are on the system they're on (either without password or already loaded in ssh agent), and not also in a location that can only be read with administrative rights (meaning they would also only be able to ssh out from an elevated process, which comes with its own potential concerns)... processes running in their context can read that key, connect to localhost, and elevate just the same, no UAC. So, one more step even still. And we sacrifice any semblance of identity tied to public keys that grant admin rights in trade for it. Edit: And all that assuming the lack of separation of "every day user account" and "admin account for elevation" that is best practice because, if those are separate, and keys are handled right, the whole topic's a moot point. UAC trying to shoe-horn that context in the half-baked way that it does is a false sense of security, in my experience. And, "Fewer programs are so buggy as to be made to download and execute arbitrary code" ... given the frequency of that being core OS code on Windows, between the print spooler, 'troubleshooting wizards', etc... I'm honestly far less worried about a UAC bypass by a random program than I am long term lack of control over administrative rights and identity. |
|
Is there anyone that actually wants admins to have a non-standard, common file for their SSH keys? Since everybody says this breaking change (using a non-standard location for admins) is useless, provides no benefit, and adds additional hurdles. At this point, this change seems to be by bad design to hinder people on purpose. |
|
There are two very common and yet radically different use cases:
It is ONLY THE LATTER use case, as a server, where remote access via SSH is even needed at all (in nearly all cases), and, in fact, any remote access at all (whether through RDP or SSH) is a bad idea for nearly all desktops (with the exception of a few edge cases like road warriors or remote support). Obviously, these use cases are very, very different, but the current design appears to serve no one optimally. It appears that the current design is currently somewhat optimized for the first case, and it also appears that it blurs the lines for authorization as well, which further reduces its use in server situations. This situation is obviously untenable for server administrators, and therefore server administrators would (currently) be wise to disable SSH altogether until this gets straightened out. And, since SSH access is so rarely needed in the first case, it would also be wise to disable it there as well, if nothing else but to reduce the exposed surface area of a desktop system. Even worse, it appears that this current design breaks the PCI-DSS, HIPAA Security Rule, NIST, etc of one set of credentials (in this case, authorized_keys) per separate account by merging them all together. This will certainly be a huge problem in the event of an audit, as it should be. It's really no different from sharing your single AWS keypair with your entire team, and entire companies (i.e., userify, ssh.com) have been launched just to manage separate keypairs for different team members, and those products probably couldn't even really exist (at least, with proper separation of concerns) in the current design. |
|
Spent multiple hours dealing with this issue. In case it helps someone in the future, make sure that your |
@bilby91 your comment saved me from a migrane. |
|
#1324 (comment) says:
I also find it PITA while juggling SSH-based access to my VM-s used as ephemeral cluster nodes.
|
|
Just hit this also. Non-normal behavior for Windows vs just about every other ssh server is a bit of a disservice to users. Honestly it seems like the whole logic behind this change is "security by obscurity" which isn't security at all. @manojampalam can this be reconsidered in the next release? We've had several releases but I haven't seen a new comment here. |
|
this acctualy dont have a sin, you can add new domain user , and login in another person account via ssh(not sure what kind of damage u can make, but fur sure allot , just image if someone dosent have 2fa),at least that if it possible limit local admin to being unable to add domain user, thats way i love linux more ! |
and others
Can someone please explain the reasoning behind PowerShell/openssh-portable/pull/369?
Unless I just don't know what I'm doing, it seems like this lets anyone with a key in administrators_authorized_keys log in as any other user in the administrators group? I feel like this should not be a default configuration (or anyone's configuration really)...
The text was updated successfully, but these errors were encountered: