Re: Emergency shutdown feature

linux kernel account (linker@nightshade.z.ml.org)
Sat, 20 Dec 1997 15:15:41 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Martin Mares: "Re: 3c9xx Support."
Previous message: Philip Blundell: "Re: Write to a closed stream bug."

On Sat, 20 Dec 1997, Mr. James W. Laferriere Network Engineer wrote:

>
> Hello Olaf,
>
> ssh -l root hostname 'reboot'
>
> But, I see you want something that will get to the kernel
> and the above is user-space. Why not use a ssh 'like'
> approach ? The packet -must- have come from a known host(s)
> and -must- come from a trusted 'user' . the ssh package
> already has this functionality, it would be nice to see
> this used and not rebuild the wheel . Tia

After thinking for a moment. I have a better suggestion:

A host and a userspace rebooter on another box share a 20 byte (160bit)
secret.

When a client wants to reboot a host it takes the unix time and drops the
least signifiant 8bits and makes that byte=FF. Then it takes the first
8chars of the hostname (padding with nulls if shorted). Then it adds on
the 160bit secret. It then performs the SHA transform on the 32byte input
and produces a 160bit magic value)

It transmits this magic value in a ping packet (with some special flag
set in the ICMP header) to the remote host.

The remote host can easily verify the packet (just perform the SHA and it
can easily compute the keys ahead of time (during system idle or
whatever)..

Providing no weakness in SHA the easiest cracking would involve sending
2^160 ping packets. Assuming that the protocall used ping packets of a
minimum size (20byte tcp 8 bytes icmp and 20 bytes payload) it would
require sending 70152078591883340073776871970381584943484762062848 bytes
of data for a brute force attempt. This is also assuming the compute
clocks were exactly synced and that it took no time to produce the hashes
and check them and such.

Assuming the attack were occuring across 100megabit ethernet and occuring
with 100% effiecnity with no other load on the line it would take an
attacker an average of 8.7919 * 10^34 years to complete the attack. In the
worst case (the last key tried is right) it would take double that.

Assuming the sysadm isn't an NT user, he would notice the attack long
before it's completeion and take approiate action.

With some 'flood' protection the DOS possibilities of this attack are low.
Esp considering that the hash need only be computed once every four
minutes..

Next message: Martin Mares: "Re: 3c9xx Support."
Previous message: Philip Blundell: "Re: Write to a closed stream bug."