Page 1 of 2 1 2
Reply
Thread Tools
Feathers McGraw's Avatar
Feathers McGraw is offline Feathers McGraw
2016-01-16 , 23:13
Posts: 654 | Thanked: 2,368 times | Joined on Jul 2014 @ UK
#1
I don't like leaving SSHD running on my phone, because it leaves the phone vulnerable to brute-force password attacks against SSH when on mobile networks and public wifi. I'd never leave a server like that, so I'm definitely not going to do that on my phone.

I've been frustrated a few times to find that nemo's PW is reset when the GUI option to enable or disable remote access is toggled. Even if you don't enter anything in the new PW box or click "generate", enabling or disabling SSHD will wipe the existing PW. Grr!

I did some experimenting... this is with SSHD enabled:

Code:
[root@Jolla nemo]# cat /etc/passwd | egrep '\<(root|nemo)\>'
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin
nemo:x:100000:100000::/home/nemo:/bin/bash

[root@Jolla nemo]# cat /etc/shadow | egrep '\<(root|nemo)\>'
root:!*:16571:0:99999:7:::
nemo:topsecretpasswordhash:::
After turning remote access off in the GUI:

Code:
[root@Jolla nemo]# cat /etc/passwd | egrep '\<(root|nemo)\>'
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin
nemo:x:100000:100000::/home/nemo:/bin/bash

[root@Jolla nemo]# cat /etc/shadow | egrep '\<(root|nemo)\>'
root:!*:16571:0:99999:7:::
nemo::16816:0:99999:7:::
So:
  • like most (all?) modern linux distros, the password hashes are stored in /etc/shadow, and the non-sensitive info is stored in /etc/passwd
  • devel-su authenticates with nemo's password, not the root password ("set a password for SSH and root access" should be clearer IMO)
  • root password is never set by Jolla utilities
  • disabling SSHD clears nemo's password as well as disabling SSH

The whole thing is quite irritating really, because you can't easily control the two settings independently of each other in the GUI, AND the device is very insecure - it would literally take someone 30s to get root access.

I've been trying to think of a decent way to separate the two, but I don't think there's an obvious perfect solution. Here's my thoughts on workarounds with the current setup:

You can set a password for nemo using the utility passwd, which will enable you to use devel-su in fingerterm without SSHD, but enabling SSHD in the GUI will still clobber your PW.

I guess you can also manually change SSHD to allow publickey authentication only, but I'm not sure if the GUI setting will clobber this too. This also doesn't solve the problem that someone can pick up your device and root it in 30s.

If I could go back in time and whisper in the Jolla devs' ears as they were designing the system, here's how I'd suggest setting it up:
  • On first boot (or first time enabling developer mode), the user is asked to set a root PW. Scary warning not to forget this or you won't be able to reset it without factory resetting the device.
  • Devel-su asks for root PW, not nemo's PW.
  • No way to change root PW if you forget it without doing a factory reset of the device (wipes data).
  • Remote connection does pretty much the same thing it does now, i.e. sets nemo's password (which isn't used for anything apart from SSH) and enables/disables SSHD. Technical users could require publickey authentication if they wanted by changing /etc/ssh/sshd_config, in which case the GUI changing nemo's password wouldn't make a difference to anything.

Two questions for the rest of you:
  1. What do you think is the best way to handle the current setup on Sailfish?
  2. If you could start fresh and do whatever you wanted, how would you approach root access and SSHD?

Hopefully I'm not the only one irritated by this
 

The Following 5 Users Say Thank You to Feathers McGraw For This Useful Post:
mced's Avatar
mced is offline mced
2016-02-14 , 18:59
Posts: 115 | Thanked: 185 times | Joined on Apr 2011 @ Spain
#2
Originally Posted by Feathers McGraw View Post
Hopefully I'm not the only one irritated by this
It seems you are

Point I: Yeah, this SSHD/password GUI config is kind of surrealist.

II: If I wanted to enable/disable SSHD, probably I would try systemctl start/stop sshd.

III: My 3G provider, Yoigo (Telia Sonera) gives IPs behind a CGNAT. So the SSH daemon is not accesible to the whole world. Of course, there are these WhatsApp teenagers behind the same CGNAT as me, but I don't expect them to know what SSH means.

IV: The same thing with public wifi's at restaurants, transport and the like.

V: Get root access in 30 seconds? Could you post a link to this bug?

VI: I don't know why, but I'm unable to set RSA key authentication on my Jolla. I've got three of four Debian machines, my Raspbian RPi and an OpenWRT router, all of them sharing their respective RSA keys: they work flawlessly. But when it's time to log into my Jolla this way, "Permission denied (publickey)".
 

The Following 3 Users Say Thank You to mced For This Useful Post:
jellyroll's Avatar
jellyroll is offline jellyroll
2016-02-14 , 19:38
Posts: 435 | Thanked: 684 times | Joined on Apr 2012 @ Netherlands 020
#3
This works all different compared to the Maemo system.
 
Feathers McGraw's Avatar
Feathers McGraw is offline Feathers McGraw
2016-02-14 , 20:32
Posts: 654 | Thanked: 2,368 times | Joined on Jul 2014 @ UK
#4
Originally Posted by mced View Post
III: My 3G provider, Yoigo (Telia Sonera) gives IPs behind a CGNAT. So the SSH daemon is not accesible to the whole world. Of course, there are these WhatsApp teenagers behind the same CGNAT as me, but I don't expect them to know what SSH means.

IV: The same thing with public wifi's at restaurants, transport and the like.
I'm really surprised to hear someone on this forum make an argument like this. Do you always rely on other peoples' incompetence for the security of your systems?

V: Get root access in 30 seconds? Could you post a link to this bug?
  1. pick up a jolla
  2. enable developer mode
  3. toggle remote connection and set whatever password you like, without having to know the current password
  4. open fingerterm
  5. use devel-su with the password you just set to run commands as root

You shouldn't be able to set the password required for root access like that, it's stupid. On a normal system, if you log in as a user in the sudo group, you need to know either that user's password or the root password to run commands as root (depending on how sudo is configured). If you want to change your own password, you need to know the current password.

VI: I don't know why, but I'm unable to set RSA key authentication on my Jolla. I've got three of four Debian machines, my Raspbian RPi and an OpenWRT router, all of them sharing their respective RSA keys: they work flawlessly. But when it's time to log into my Jolla this way, "Permission denied (publickey)".
Works fine here:

Code:
sam@T440s:~$ ssh-copy-id nemo@192.168.1.227
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
nemo@192.168.1.227's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'nemo@192.168.1.227'"
and check to make sure that only the key(s) you wanted were added.

sam@T440s:~$ ssh nemo@192.168.1.227
Enter passphrase for key '/home/sam/.ssh/id_rsa': 
Last login: Sun Feb 14 20:22:17 2016 from 192.168.1.112
,---
| SailfishOS 2.0.1.7 (Taalojärvi) (armv7hl)
'---
I don't think I had to enable publickey authentication, pretty sure the default configuration allows it.
 

The Following 4 Users Say Thank You to Feathers McGraw For This Useful Post:
jellyroll's Avatar
jellyroll is offline jellyroll
2016-02-14 , 21:34
Posts: 435 | Thanked: 684 times | Joined on Apr 2012 @ Netherlands 020
#5
I do remember that the MeeGo/Harmattan used to have the same settings for ssh and developer mode. It's nice to see the password being reset all time while using a device lock code and one acces ip.
 

The Following User Says Thank You to jellyroll For This Useful Post:
pichlo's Avatar
pichlo is offline pichlo
2016-02-14 , 22:32
Posts: 6,445 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#6
Originally Posted by Feathers McGraw View Post
  1. pick up a jolla
  2. enable developer mode
  3. toggle remote connection and set whatever password you like, without having to know the current password
  4. open fingerterm
  5. use devel-su with the password you just set to run commands as root
If you were as security conscious as your posts suggest, you would have a step between 1 and 2:
  • guess the unlock code

Why worry about the root access anyway? All the important stuff is in the user land: your files, your contacts, your login creds to various services... About the only thing that knowing the root password gives you are the access to other users' data and the possibility to install stuff, both irrelevant on Jolla.
__________________
Русский военный корабль, иди нахуй!
 

The Following 4 Users Say Thank You to pichlo For This Useful Post:
Feathers McGraw's Avatar
Feathers McGraw is offline Feathers McGraw
2016-02-14 , 23:31
Posts: 654 | Thanked: 2,368 times | Joined on Jul 2014 @ UK
#7
Originally Posted by pichlo View Post
If you were as security conscious as your posts suggest, you would have a step between 1 and 2:
  • guess the unlock code
Jolla should ship sensible and secure defaults. It's not unreasonable to expect some privilege separation between nemo and root, and that shouldn't depend on having a lock code (I do use one by the way, but it's beside the point).

Why worry about the root access anyway? All the important stuff is in the user land: your files, your contacts, your login creds to various services...
I don't disagree (in fact I've made that point before, so much stuff on SFOS runs as nemo including systemd). There are still some things you can do without root though, in particular it's much more difficult to hide your tracks without root. An attacker with root privileges can clean up after themselves. It doesn't make any sense to throw away that security boundary unnecessarily.

the possibility to install stuff...irrelevant on Jolla.
Why is it irrelevant on Jolla? Do you mean because you can install software without root with pkcon? I pointed this out before, and someone noted that you can't add a repo without root. The damage you can do without root is limited and relies on malicious software in trusted repos, or the existence of apps in those repos that could be exploited to gain root.

I don't understand why people are trying to pass this off as unimportant. I'm not just hating on SFOS, what I'm saying is that Jolla seem to have hacked this part of the system together and have overlooked the fact that it leaves a hole in the system's security unnecessarily.
 

The Following 2 Users Say Thank You to Feathers McGraw For This Useful Post:
pasko is offline pasko
2016-02-14 , 23:50
Posts: 290 | Thanked: 385 times | Joined on Jan 2012 @ Madrid, Spain
#8
Hi.
My n9 has the following firewall rule for ssh connections:
Code:
-A INPUT -i gprs0 -p tcp -m tcp --dport 22 -j DROP
This silently drops all incoming connections to the gprs0 interface. OTOH I'm only in WiFi when I'm at home. (Controlled environment)
I don't have a Jolla (yet) , but if it has a firewall this solution is fairly simple in my opinion.
Regards.
 

The Following 2 Users Say Thank You to pasko For This Useful Post:
jellyroll's Avatar
jellyroll is offline jellyroll
2016-02-15 , 07:06
Posts: 435 | Thanked: 684 times | Joined on Apr 2012 @ Netherlands 020
#9
Originally Posted by Feathers McGraw View Post
I don't like leaving SSHD running on my phone, because it leaves the phone vulnerable to brute-force password attacks against SSH when on mobile networks and public wifi. I'd never leave a server like that, so I'm definitely not going to do that on my phone
You can try to compile Kippo[1] I use it on my N900 sometimes with a script like this. nohup sh /script.sh > /dev/null 2>&1 &

Code:
#!/bin/sh
tail -fn0 /var/log/auth.log | \
while read line ; do
echo "$line" | grep "Failed password"
if [ $? = 0 ]
then

iptables -A PREROUTING -t nat -i wlan0 -p tcp --dport 22220 -j REDIRECT --to-port 2222

iptables -A PREROUTING -t nat -i gprs0 -p tcp --dport 22220 -j REDIRECT --to-port 2222

/etc/init.d/ssh stop

dbus-send --type=method_call --dest=org.freedesktop.Notifications /org/freedesktop/Notifications org.freedesktop.Notifications.SystemNoteDialog string:"Visitors." uint32:0 string:"OK"

mplayer /home/user/Alert.mp3

fi
done

[1] https://github.com/micheloosterhof/cowrie
http://turbochaos.blogspot.nl/2013/0...ing-kippo.html
Last edited by jellyroll; 2016-02-20 at 18:14.
 

The Following 3 Users Say Thank You to jellyroll For This Useful Post:
Feathers McGraw's Avatar
Feathers McGraw is offline Feathers McGraw
2016-02-15 , 09:36
Posts: 654 | Thanked: 2,368 times | Joined on Jul 2014 @ UK
#10
Originally Posted by jellyroll View Post
You can try to compile Kippo[1]
That's pretty cool my first reaction was to install fail2ban, but it doesn't support journad's binary logging (yet). I guess tweaking the journald settings so it also writes authentication messages to a text log is one solution to that problem.
 

The Following User Says Thank You to Feathers McGraw For This Useful Post:
Reply
Page 1 of 2 1 2

Tags
devel-su, jolla, root access, sailfish, ssh daemon

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 14:52.

Contact Us - Home - Archive - Top