[Users] SECURITY: root privilege escalation / trivial reveal of stored passwords

[Eric Warnke]

Below are two serious security issues with SSHKeychain that need the
attention of all users.  I have listed workaround with both.

1 - Root privilege escalation

TunnelRunner is suid root and has poor protection from attack.  This
will allow trivial root privilege for any user on the system.

HOW TO FIX: You must remove the suid bit from the TunnelRunner
utility.  In a default install this is as simple as the following
command line.

sudo chmod 755 /Applications/SSHKeychain.app/Contents/Resources/TunnelRunner

PROBLEMS:  This fix will prevent the tunneling of low ports ( >1024 ).

2 - Stored password reveal

Poor protection in the PassphraseRequester utility means that any
password saved by SSHKeychain, including the private key password can
be trivially revealed to people who have access to the session.

Example:

/Applications/SSHKeychain.app/Contents/Resources/PassphraseRequester \
"Enter passphrase for $HOME/.ssh/id_rsa"

HOW TO FIX: Use the "Keychain Access" utility and delete all keys
associated with SSHKeychain.  Do not save further passwords for
private keys or tunnels until a proper fix has been released.

PROBLEMS: You will need to unlock your private key when it is added to
SSHKeychain.  With your preferences set properly this will not be too
much of an additional burden in the name of security.


--------


Both problems may be solvable through patches, but I'm not sure what
the timeframe will be.


-Eric