maemo.org - Talk - devel-su and SSHD (developer mode remote connection) on Sailfish

maemo.org - Talk (https://talk.maemo.org/index.php)

- SailfishOS (https://talk.maemo.org/forumdisplay.php?f=52)

- - devel-su and SSHD (developer mode remote connection) on Sailfish (https://talk.maemo.org/showthread.php?t=96363)

devel-su and SSHD (developer mode remote connection) on Sailfish

I don't like leaving SSHD running on my phone, because it leaves the phone vulnerable to brute-force password attacks against SSH when on mobile networks and public wifi. I'd never leave a server like that, so I'm definitely not going to do that on my phone.

I've been frustrated a few times to find that nemo's PW is reset when the GUI option to enable or disable remote access is toggled. Even if you don't enter anything in the new PW box or click "generate", enabling or disabling SSHD will wipe the existing PW. Grr!

I did some experimenting... this is with SSHD enabled:

Code:

[root@Jolla nemo]# cat /etc/passwd | egrep '\<(root|nemo)\>'

root:x:0:0:root:/root:/bin/bash

operator:x:11:0:operator:/root:/sbin/nologin

nemo:x:100000:100000::/home/nemo:/bin/bash



[root@Jolla nemo]# cat /etc/shadow | egrep '\<(root|nemo)\>'

root:!*:16571:0:99999:7:::

nemo:topsecretpasswordhash:::

After turning remote access off in the GUI:

Code:

[root@Jolla nemo]# cat /etc/passwd | egrep '\<(root|nemo)\>'

root:x:0:0:root:/root:/bin/bash

operator:x:11:0:operator:/root:/sbin/nologin

nemo:x:100000:100000::/home/nemo:/bin/bash



[root@Jolla nemo]# cat /etc/shadow | egrep '\<(root|nemo)\>'

root:!*:16571:0:99999:7:::

nemo::16816:0:99999:7:::

So:

like most (all?) modern linux distros, the password hashes are stored in /etc/shadow, and the non-sensitive info is stored in /etc/passwd
devel-su authenticates with nemo's password, not the root password ("set a password for SSH and root access" should be clearer IMO)
root password is never set by Jolla utilities
disabling SSHD clears nemo's password as well as disabling SSH

The whole thing is quite irritating really, because you can't easily control the two settings independently of each other in the GUI, AND the device is very insecure - it would literally take someone 30s to get root access.

I've been trying to think of a decent way to separate the two, but I don't think there's an obvious perfect solution. Here's my thoughts on workarounds with the current setup:

You can set a password for nemo using the utility passwd, which will enable you to use devel-su in fingerterm without SSHD, but enabling SSHD in the GUI will still clobber your PW.

I guess you can also manually change SSHD to allow publickey authentication only, but I'm not sure if the GUI setting will clobber this too. This also doesn't solve the problem that someone can pick up your device and root it in 30s.

If I could go back in time and whisper in the Jolla devs' ears as they were designing the system, here's how I'd suggest setting it up:

On first boot (or first time enabling developer mode), the user is asked to set a root PW. Scary warning not to forget this or you won't be able to reset it without factory resetting the device.
Devel-su asks for root PW, not nemo's PW.
No way to change root PW if you forget it without doing a factory reset of the device (wipes data).
Remote connection does pretty much the same thing it does now, i.e. sets nemo's password (which isn't used for anything apart from SSH) and enables/disables SSHD. Technical users could require publickey authentication if they wanted by changing /etc/ssh/sshd_config, in which case the GUI changing nemo's password wouldn't make a difference to anything.

Two questions for the rest of you:

What do you think is the best way to handle the current setup on Sailfish?
If you could start fresh and do whatever you wanted, how would you approach root access and SSHD?

Hopefully I'm not the only one irritated by this ;)

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

Quote:

Originally Posted by Feathers McGraw (Post 1495199)

Hopefully I'm not the only one irritated by this ;)

It seems you are :)

Point I: Yeah, this SSHD/password GUI config is kind of surrealist.

II: If I wanted to enable/disable SSHD, probably I would try systemctl start/stop sshd.

III: My 3G provider, Yoigo (Telia Sonera) gives IPs behind a CGNAT. So the SSH daemon is not accesible to the whole world. Of course, there are these WhatsApp teenagers behind the same CGNAT as me, but I don't expect them to know what SSH means.

IV: The same thing with public wifi's at restaurants, transport and the like.

V: Get root access in 30 seconds? Could you post a link to this bug?

VI: I don't know why, but I'm unable to set RSA key authentication on my Jolla. I've got three of four Debian machines, my Raspbian RPi and an OpenWRT router, all of them sharing their respective RSA keys: they work flawlessly. But when it's time to log into my Jolla this way, "Permission denied (publickey)".

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

This works all different compared to the Maemo system.

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

Quote:

Originally Posted by mced (Post 1498786)

III: My 3G provider, Yoigo (Telia Sonera) gives IPs behind a CGNAT. So the SSH daemon is not accesible to the whole world. Of course, there are these WhatsApp teenagers behind the same CGNAT as me, but I don't expect them to know what SSH means.

IV: The same thing with public wifi's at restaurants, transport and the like.

I'm really surprised to hear someone on this forum make an argument like this. Do you always rely on other peoples' incompetence for the security of your systems?

Quote:

V: Get root access in 30 seconds? Could you post a link to this bug?

pick up a jolla
enable developer mode
toggle remote connection and set whatever password you like, without having to know the current password
open fingerterm
use devel-su with the password you just set to run commands as root

You shouldn't be able to set the password required for root access like that, it's stupid. On a normal system, if you log in as a user in the sudo group, you need to know either that user's password or the root password to run commands as root (depending on how sudo is configured). If you want to change your own password, you need to know the current password.

Quote:

VI: I don't know why, but I'm unable to set RSA key authentication on my Jolla. I've got three of four Debian machines, my Raspbian RPi and an OpenWRT router, all of them sharing their respective RSA keys: they work flawlessly. But when it's time to log into my Jolla this way, "Permission denied (publickey)".

Works fine here:

Code:

sam@T440s:~$ ssh-copy-id nemo@192.168.1.227

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

nemo@192.168.1.227's password: 



Number of key(s) added: 1



Now try logging into the machine, with:   "ssh 'nemo@192.168.1.227'"

and check to make sure that only the key(s) you wanted were added.



sam@T440s:~$ ssh nemo@192.168.1.227

Enter passphrase for key '/home/sam/.ssh/id_rsa': 

Last login: Sun Feb 14 20:22:17 2016 from 192.168.1.112

,---

| SailfishOS 2.0.1.7 (Taalojärvi) (armv7hl)

'---

I don't think I had to enable publickey authentication, pretty sure the default configuration allows it.

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

I do remember that the MeeGo/Harmattan used to have the same settings for ssh and developer mode. It's nice to see the password being reset all time while using a device lock code and one acces ip.

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

Quote:

Originally Posted by Feathers McGraw (Post 1498791)

pick up a jolla
enable developer mode
toggle remote connection and set whatever password you like, without having to know the current password
open fingerterm
use devel-su with the password you just set to run commands as root

If you were as security conscious as your posts suggest, you would have a step between 1 and 2:

guess the unlock code

Why worry about the root access anyway? All the important stuff is in the user land: your files, your contacts, your login creds to various services... About the only thing that knowing the root password gives you are the access to other users' data and the possibility to install stuff, both irrelevant on Jolla.

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

Quote:

Originally Posted by pichlo (Post 1498797)

If you were as security conscious as your posts suggest, you would have a step between 1 and 2:

guess the unlock code

Jolla should ship sensible and secure defaults. It's not unreasonable to expect some privilege separation between nemo and root, and that shouldn't depend on having a lock code (I do use one by the way, but it's beside the point).

Quote:

Why worry about the root access anyway? All the important stuff is in the user land: your files, your contacts, your login creds to various services...

I don't disagree (in fact I've made that point before, so much stuff on SFOS runs as nemo including systemd). There are still some things you can do without root though, in particular it's much more difficult to hide your tracks without root. An attacker with root privileges can clean up after themselves. It doesn't make any sense to throw away that security boundary unnecessarily.

Quote:

the possibility to install stuff...irrelevant on Jolla.

Why is it irrelevant on Jolla? Do you mean because you can install software without root with pkcon? I pointed this out before, and someone noted that you can't add a repo without root. The damage you can do without root is limited and relies on malicious software in trusted repos, or the existence of apps in those repos that could be exploited to gain root.

I don't understand why people are trying to pass this off as unimportant. I'm not just hating on SFOS, what I'm saying is that Jolla seem to have hacked this part of the system together and have overlooked the fact that it leaves a hole in the system's security unnecessarily.

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

Hi.
My n9 has the following firewall rule for ssh connections:

Code:

-A INPUT -i gprs0 -p tcp -m tcp --dport 22 -j DROP

This silently drops all incoming connections to the gprs0 interface. OTOH I'm only in WiFi when I'm at home. (Controlled environment)
I don't have a Jolla (yet) , but if it has a firewall this solution is fairly simple in my opinion.
Regards.

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

Quote:

Originally Posted by Feathers McGraw (Post 1495199)

You can try to compile Kippo[1] I use it on my N900 sometimes with a script like this. nohup sh /script.sh > /dev/null 2>&1 &

Code:

#!/bin/sh

tail -fn0 /var/log/auth.log | \

while read line ; do

echo "$line" | grep "Failed password"

if [ $? = 0 ]

then



iptables -A PREROUTING -t nat -i wlan0 -p tcp --dport 22220 -j REDIRECT --to-port 2222



iptables -A PREROUTING -t nat -i gprs0 -p tcp --dport 22220 -j REDIRECT --to-port 2222



/etc/init.d/ssh stop



dbus-send --type=method_call --dest=org.freedesktop.Notifications /org/freedesktop/Notifications org.freedesktop.Notifications.SystemNoteDialog string:"Visitors." uint32:0 string:"OK"



mplayer /home/user/Alert.mp3



fi

done

[1] https://github.com/micheloosterhof/cowrie
http://turbochaos.blogspot.nl/2013/0...ing-kippo.html

Re: devel-su and SSHD (developer mode remote connection) on Sailfish

Quote:

Originally Posted by jellyroll (Post 1498817)

You can try to compile Kippo[1]

That's pretty cool :) my first reaction was to install fail2ban, but it doesn't support journad's binary logging (yet). I guess tweaking the journald settings so it also writes authentication messages to a text log is one solution to that problem.