[vox-tech] Providing access to SSH on Kiosk?
ME
vox-tech@lists.lugod.org
Mon, 12 Jan 2004 18:41:59 -0800 (PST)
>Earlier, Bill asked about user security with a kiosk Linux system...
Sorry, jumping into this thread after having deleted other messages. If
this has been mentioned, then ignore:
Anyone with the lack of understanding of risk to use of a public station
to ssh to another box is dancing with the devil. (Condemnation of users
who would actually use ssh on untrusted machines.)
#1 (as I have said many times) ssh does nothing to secure the box in which
it is used. SSH is only useful in trying to create a "secure connection
over an insecure network."
#2 When you run a public box as a Kiosk, the box is likely to be available
to many anonymous users. When a new users arrives to use a box for which
many other users have has physical access (and worse yet, unsupervised
physical access) to use as an authentication point, they must trust not
only the creators of the source for the packages, but also the packagers,
and the person who built the box and *all* of the people who have touched
the box since the OS was installed. Consider the multi-tier process of
security vs. comprimise: shell -> local exploit, no shell but physical
access -> boot single user mode, password LILO, use external boot media,
password BIOS -> short BIOS. With sufficient resources, physical access is
a security risk. In the most basic sense, at least a DoS can be completed.
#3 Keyboard wedges that record keystrokes can also be placed in-line
between the keyboard and the CPU. They can be small enough to often go
without being noticed.
with so much reliance on ssh, there are many of exploits and trojan kits
out there for ssh from trojans/wrappers, to local port
redirection/piggyback, to conduction of exploits to remote targets.
Given a shell, it is also possible to create "time bombs" where the
machine will follow directions long after the user who dropped the
packageh has logged out-- potentially harming another user.
Kiosks are great for demoing web surfing, and GUI but testing ssh to trust
remote machines from untrusted local machines is risky. I consider
encouraging people to ssh from untrusted machine to be *almost* as bad as
using gpg from a shell on an untrusted machine (gpg with keys and ID that
is used by others as part of the Web of Trust.)
It is because of my lack of trust for how ssh is installed and used on
untrusted machines that I installed SquirrelMail to check my mail (and
sync it to a different password DB than my shell with different
authentication credentials.) If someone steals my webmail credentials,
they can see my unencrypted mail, but at least they can shell to my box.
(The problems above exist for other OS used as Kiosks. For example, these
apply to windows software, but in addition there are more risks with
windows than I list above.)
(Maybe, if someone can get me a ride out to LUGOD over the summer, I might
be able to do a brief presentation on SquirrelMail with courier imap... or
if there are other SM users who are up for it, combine with them and team
up to offer a presentation on it.)
Again, the above having been said, Kiosks are *great* tools for showing
people the excellent advantages of Linux. They are excellent tools for
demonstration and giving people opportuinity to feel something of the OS.
Counter measures including having Kiosks that are client-server based and
netboot with the Kiosk unit mounting and NFS root that is read-only and a
server that is physically secured. The user must still trust the installer
of the OS, and the packagers as well as coders. There is also risk for
keyboard wedges, shoulder surfing and other similar attacks, but since the
client netboots, the HD, CDROM, DVD, and floppy drive can be physically
removed, custom kernels can further disable port access (firewire, usb,
serial, parallel) and the BIOS can be down-graded to not support other
booting hardware. Also, netboot permits many, many clients to all share
one server.
-ME