Worry about passwordless login


I’m not very clear about just how much damage malefactors can do, if they get access to arbitrary code execution through the php exploits we’ve been hearing about.

Presumably they have full access to the directory that the website is hosted in. But can they rise up a level, and get into the user’s home directory?

And if so, could they, for example, do things like install their own passwordless login key in the .ssh directory?

I haven’t seen any discussion about this so maybe it’s nothing to worry about, but please could somebody confirm?

If an intruder could install a passwordless login, I’m not sure how one would go about detecting it.



probably if you get hacked it’s a good idea to remove the .ssh directory and start over. their is no code barrier to this happening, although the directory structure itself might be dreamhost specific and not worth the bother to the hacker. How much standard effort? I hadn’t thought we’d see tailored probes for individual wordpress plugins, so that’s a surprise, it probably comes down to if your hacked assume you should rebuild .ssh





The have access to the user’s space, not just the document root directory.

That would be an ideal backdoor. I don’t think it’s used as much because it would prevent someone who was caught with the matching private key the defence of plausible deniability. But it is one of the many possibilities.

Create a git archive of your account. Clone the archive elsewhere (backups user, local machine). You can’t make a change in a git repo without git noticing. I believe even changing just permissions will be detected.



GIT is a good notifier for changes you might not generally notice :wink:


Well the question is, how to tell if you’ve been hacked. Waiting until you’ve obviously been hacked, and your website goes up in smoke, and then removing the .ssh directory in case that’s where the hacker was hiding … that would be leaving it too late, surely.

I began this thread mainly out of startlement at not being asked for my existing password when I created a passwordless login. In well designed systems, like gmail, it asks you for your password when you try to change the security settings, even though you’re already logged in. Presumably this is so that an intruder with non-standard access to the system can’t easily change the security settings.

Shouldn’t there be something like a .htaccess file in the .ssh directory, so that the directory is password-protected?

That’s an interesting suggestion … but how seriously do you mean it?

There’s been much discussion of how the balance of responsibility for security divides between Dreamhost and its customers. Dreamhost is, perfectly reasonably, asking customers to bear their appropriate share of responsibility. The question is, what is appropriate.

What we have here is a gaping security hole in Linux, the operating system chosen by Dreamhost.

If anyone who clicks on a “one-click plug-in” is vulnerable to having hackers silently install password-less logins in their account, and if the only real way to detect this is for customers to create and continuously maintain git archives of their accounts … well, what do you think?



What I think is that you should spend some time reading the DH wiki as well as a bit more research on these topics first, then come back and see if you can answer your own question.


Do things like create a GIT archive of your account and monitor it.

The suggestion was a solution. How seriously did you want a solution?

What leads you to believe a .htacces file will secure anything?

Eh? What discussion? Where?

The “appropriate share of responsibility” is that the Webmaster is 100% responsible.

On what research are you basing this… claim?

Any person - who installs any script - in any manner - on any operating system - on any computer - is vulnerable to hacking if the script they chose to install is exploitable.



No I’m not going to do research on this, beyond a quick google, which fails to bring up any example (except for Bill’s remark in this thread) which suggests that people should monitor or rebuild the .ssh directory as part of their intrusion detection procedures.

This SHOULD mean that passwordless login installation by hackers is not a feasible exploit. There are plenty of experts here who can easily tell us if that is the case. It shouldn’t need research.

I’m puzzled that nobody is commenting very definitely. Bobocat’s remark that “I don’t think it’s used as much because it would it would prevent someone who was caught with the matching private key the defence of plausible deniability” is a rather weak consideration. When did “plausible deniability” ever figure in a hacker’s defence case?

I say again, maybe this exploit simply isn’t possible. But if it is possible, then it’s a gaping hole in Linux security. When I said “Shouldn’t there be something like a .htaccess file in the .ssh directory, so that the directory is password-protected?” I didn’t mean that .htaccess itself would do the job. I said something like .htaccess.

Something that authorized programs (such as ssh itself) could easily get through, but which would stop everybody else and demand a password.

If Linux can’t easily provide this, and if there is a need for it, then the lack of it is a gaping security hole in Linux.


It’s an absurd solution. People simply aren’t going to do that.



Tom, the solution is good. It is your rhetoric that is absurd.

If you want to lose a debate, visit any debating forum.


We still haven’t been told for sure that this really is a problem ~ that hackers who get arbitrary code access can silently install passwordless logins (and I would have thought that if it is a problem, we should already have heard more about it)

But as nobody is saying that it’s not a problem, I’ll assume that it is, and go ahead with the discussion anyway.

What I’m going to say may provoke disagreement, since there are people here who argue that Dreamhost has no responsibility to do things that users can do for themselves.

But the key point is that the people who most need help with security checking are the people who are least able to do it for themselves.

The git-based solution suggested above is not good because the people who most need it are not able to, and not likely to become able to, implement it.

Here, in contrast, is a simple and systematic solution that could be applied by Dreamhost to solve the problem for everyone.

There’s nothing secret about the public part of an rsa key pair, so anyone who sets up for themselves a passwordless login could upload the public part of their key into a Dreamhost panel.

Dreamhost could then, as part of its regular security-checking, check periodically that .ssh folders contain only keys that have have been uploaded into the panel.

I’ve looked in to the files in my .ssh folders and they are all in ascii text, so presumably we could write scripts to do this kind of checking ourselves. But it would be much better if Dreamhost did it, as then (a) it would be done correctly and (b) the problem would be solved for everybody.




Let us know how you get on with that.


OK, I’ve made the following (simpler) suggestion:

“Please send email notification to the account-holder whenever a dsa or rsa key is added to ~/.ssh/authorized_keys. That would help mitigate the risk of intruders with non-standard access installing their own passwordless logins.”

Now it has to go through pre-screening.



Even easier: disable shell access. It’s disabled by default.


Hmmmmm…quote 1 (me)

quote 2 (sXi)


Or are you suggesting that people should go into the panel to enable shell access when they are about to do anything, then wait a few minutes for it to take effect, then log in and do whatever they wanted to do, then log out, then go back to the panel to disable shell access? That had actually occurred to me, but I thought it would be too weird as an idea to mention.



Quoting out of context will not help your cause.

Further reading: http://dreamhost.com/terms-of-service/


Hello sXi, I don’t understand your concern, please explain.

I have the impression you believe that any Dreamhost customer who is responsible for a website should be encouraged to learn about shell commands, and I have quoted you to that effect.

If you feel the quotation misrepresents your position, or is used in a way to make it seem you are saying something which you are not, please explain, and I will make full apology.

Incidentally I agree with that view, or at least with the view that I thought you had, and am enjoying learning a little bit about shell commands myself. For this reason I’ve enabled shell access on some of my users, so please say if you think that’s not a good idea.



Protip: read before reply.


Hi. You are suggesting I read the Dreamhost ToS again? It’s a good read. But in this case I’ll make the point that the ToS are irrelevant to the argument I’m making. When I say Dreamhost should provide nicely packaged site-integrity-checking services, I don’t mean that I think they’re contractually bound to do that. I’m using the word ‘should’ in the normal everyday sense - that it would help make the world a better place.

By the way, when I was looking in the suggestions list yesterday, I noticed a fairly recent suggestion saying something similar. I used 5 credits voting it up and I hope that many of my fellow customers will do the same.



Not at all. I was suggesting you read the thread so that you might then understand the conversational flow and the reason your quote is out of context to the point you were attempting to make.