Software Engineering Institute

On the Solaris operating system, SSH includes a feature to use Secure RPC credentials instead of requiring a separate user-supplied passphrase for SSH. This is beyond the intended use of Secure RPC and is not endorsed or in any way supported by Sun.

When the user elects to use this feature by typing "SUN-DES-1" as their SSH passphrase, SSH computes a "magic phrase" based on the user's Secure RPC public and private keys. This magic phrase is used as the passphrase to encrypt the user's SSH private key file.

The only secret used in the computation of the magic phrase is the user's Secure RPC private key. Secure RPC keys are managed by a process called keyserv, which stores the user's Secure RPC private key in memory after the user has authenticated to Secure RPC.

The computation of the magic phrase involving the secure RPC private key uses a keyserv API function called key_encryptsession. If the user has not properly authenticated to Secure RPC, then her private key is not available to key_encryptsession. Unless keyserv was started with the "-d" flag, key_encryptsession will attempt to use the nobody user's private key instead. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by an attacker. Since the magic phrase is used to encrypt the SSH private key file, compromise of the magic phrase also compromises the SSH private keys and the cleartext of the user's SSH sessions. If keyserv does not have the nobody user's private key, key_encryptsession returns an error, which in turn causes SSH to display an error message.

The key_encryptsession function can use the nobody user's private key only if keyserv has found and stored it. Typically, the keyserv process finds the nobody keys from the /etc/publickey file. If the system is configured for NIS, the default lookup behavior allows keyserv to search this file. If the system is configured for NIS+, the default lookup behavior prevents the file from being searched for keys.

Running keyserv with the "-d" flag will stop key_encryptsession from using the nobody user's private key as a fallback when the caller's private key is not found in keyserv.

A weakly-encrypted key file may be used to obtain unauthorized privileges of affected users. The impact is based on the sensitivity of the information being communicated through SSH.

SSH1 users should install the patch available at: http://www.ssh.com/products/ssh/patches.html

This patch relies on a function of keyserv API version 2, which is supported in Solaris 2.x. This version of the keyserv API may not have been included in Solaris 1.x, so the patch may not provide a complete solution for machines running Solaris 1.x.

Always authenticate to Secure RPC before generating SSH keys using the "SUN-DES-1" passphrase. If your login password is the same as your Secure RPC password, the standard Solaris login methods (login, dtlogin, etc.) will authenticate you to Secure RPC. Otherwise, you should run keylogin to authenticate to Secure RPC.

For better assurance, remove the nobody user entry from the /etc/publickey file or, for a more complete fix, run keyserv with the "-d" flag.