[conspire] Re: [vox] password stolen at linuxworld

Rick Moen rick at linuxmafia.com
Sun Aug 10 13:09:50 PDT 2003

[Ryan posted this to LUGOD's vox mailing list.  I'll be sending him
a copy of this post.  His post detailed a post-conference break-in with
follow-ups from IP =, and possible compromise of other
machines he uses.]

Quoting Ryan Castellucci (ryan+lugod at cal.net):

> Someone at linux world seems to have gotten ahold of my ssh user password 
> from when I used it at linuxworld.

Condolences.  I'm sure you know that no executables, configuration
files, or user dotfiles can be trusted from the compromised machine, and
you must rebuild without reusing those.

I took a look at those public-usage LWCE machines and thought "No
thanks", having no confidence whatsoever in IDG's ability to admin
machines competently.  On some occasions, I might have been willing to
ssh home from an LNX-BBC or Knoppix CD -- though that still leaves open
the possibility of hardware-level snooping.

> I suspect that my password was either sholder surfed (unlikely, it'd
> be hard to memorize....) or someone was runnning man-in-the-middle
> attacks, and forced an SSHv1 session to prevent a warning, simply
> prompting for a new key.

It could have been man-in-the-middle (MITM), given that you probably weren't
carrying a copy of your ~/.ssh/known_hosts and ~/.ssh/known_hosts2 files
with you, and were trusting local DNS for your initial connection home.
You would have seen an advisory message saying the remote host's key was
so-and-so, and did you wish to accept it?  Doing that from an
untrustworthy site is taking a huge risk (as is any use of ssh where you
accept host keys you have no reason to trust).

One alternative, which I _do_ use, is to carry around a copy of my
known_hosts and known_hosts2 files on a USB flash drive, which I keep in
my pocket.  It completely eliminates MITM attacks:  If I try to ssh home
and my ssh client says "Warning: the host key has changed", then I know
I've reached an imposter rather than my own machine, and am forewarned 
prior to login.

If you expect to have to ssh home from untrustworthy locations such as 
conferences frequently, then I'd suggest setting up a second sshd on a
non-standard port, that has been patched to use OPIE or S/Key (or uses
the PAM OPIE module) for one-time-pad authentication.  (Or you can
configure your existing sshd to accept _either_ unix passwd or opie.)

However you do it, once you have your system configured to accept
one-time-pad authentication, you can safely enter it from
presumed-compromised networks using one of the supply of one-time keys
you're carrying with you, either on a paper printout or via one of the
handy PalmOS applications for that purpose such as PalmKey.  The bad
guys can log your passwords all day long:  It won't do them any good,
because they're each good only once.

Cheers,      "Transported to a surreal landscape, a young girl kills the first
Rick Moen     woman she meets, and then teams up with three complete strangers
rick at linuxmafia.com       to kill again."  -- Rick Polito's That TV Guy column,
              describing the movie _The Wizard of Oz_

More information about the conspire mailing list