KS2011: Kernel.org report
H. Peter Anvin started with a history of kernel.org, which was initially set up when Linus moved to California and started working for Transmeta. It was split off as a standalone nonprofit organization in 2002. Running kernel.org had never been anybody's full-time job; it was an all-volunteer effort until 2008, when the Linux Foundation hired John Hawley as its first full-time administrator.
When it was set up, kernel.org was envisioned entirely as a distribution point, not as a place where development got done. The transition to git changed things, but nobody appreciated the implications at the time. There was also a lot of time put into a growing list of web-driven services. The kernel.org folks had to maintain their own version of gitweb, which would not have functioned in that environment without the caching layer they added. Kernel.org also ended up supporting a bugzilla installation, patchwork, various wikis, the kerneloops.org site, and more. Running kernel.org had turned into a big, complex job.
On the morning of August 28, 2011, Peter discovered that his personal server had been compromised. As he dug into the situation, it became clear that kernel.org had been hit as well. The attack turns out to have been part of a widespread credential-stealing network that has been operating for some years now; it is clear that the site had been owned by this network for some time before it was discovered. What also seems to be clear is that this was not a targeted attack; kernel.org was just another on a long list of broken machines.
The attackers operated quietly; the site was not used for activities like spamming. What the attackers did do was to snoop operations on ttys and record usernames and passwords. They installed trojan ssh and sshd binaries and, seemingly, were able to exploit ssh agent forwarding to move on to new machines. What they did not do was to mess with the data on kernel.org; after an extensive investigation, no data tampering has been found. Even so, kernel.org is coming back without all the old data; developers are asked to carefully review anything they care about before re-uploading it.
Kernel.org is being rebuilt from the beginning with a much greater separation of services; it will also be moving fully into the Linux Foundation. Peter noted that, over the years, the Linux Foundation has built a lot of credibility; there is a lot of faith in how they serve the development community. The Linux Foundation is also a lot better at raising funds to support operations like kernel.org. There will be additional staff to do the job properly, and no more volunteer administrators. Only full-time administrators will have root access to the systems involved; Peter, who is keeping his current day job, will not have that access.
Peter also talked about the building of the new PGP/GPG web of trust. It is, he said, something that we have needed for a long time. We are past the time where kernel developers are all able to identify each other. Locking down kernel.org to the inner core of the development community would not be a good thing; the site is there for the whole community. That means there needs to be a way to deal with mundane issues like lost credentials without actually knowing the people involved.
The old kernel.org would automatically sign tarballs and other files after they were uploaded. The signature was good for exactly one thing: verifying that the file involved did, indeed, come from kernel.org. But people had been reading more than that into kernel.org signatures, which were seen as some sort of guarantee that the data could be trusted. Central signing will not be happening anymore; developers will need to sign files - with their own keys - before uploading them. The new web of trust will allow those signatures to be verified by others.
The new git service will be built on gitolite, a mature package that has been deployed in a number of places and which has been through a number of security audits. Access to gitolite will be secured with ssh keys. For the uploading of tarballs and such, a new tool called "kup" has been developed. The use of both SSH and GPG keys will be required; the uncompressed file will be signed, then the tool will manage the creation of the various compressed formats. The old automatic compression on kernel.org used a daemon running as root, something that just doesn't seem like a good idea on the new kernel.org.
For email, only forwarding will be supported. Most mailing lists that were hosted there will move to vger.kernel.org; only a few, like security@kernel.org, will remain. Somebody asked if vger would remain separate or be pulled into the new site. The answer to that was clear: vger is maintained by Red Hat's IT group, they know how to deal with high-bandwidth mailing lists, it all works, and the kernel.org folks are more than happy to let them keep it. If nothing else, the thought of what would have happened had all the mailing lists gone down with the rest of kernel.org was enough to put an end to that discussion.
Other things like web services, will be restored eventually, but the process of hiring an additional administrator needs to run its course first.
Greg Kroah-Hartman talked briefly about what kernel.org users should be concerned about. In summary, any credential that touched kernel.org - passwords typed on that system, or keys stored there - should be considered to be compromised. He has a list of what may have been exposed for each user; he will be contacting those users with that information in the near future.
![[John Hawley]](https://web.archive.org/web/20240515193932im_/https://static.lwn.net/images/conf/2011/lc-europe/JohnHawley-sm.jpg)
John Hawley, the current full-time administrator, talked about the design
of the new site. The old kernel.org had a single system, called "hera,"
that was at the center of everything. The new version will be much more
distributed, with hera's functions split out to a number of separate boxes
(some of which will be virtual machines). The site is currently being
built on machines that had originally been delivered to the Linux
Foundation for other purposes; he noted that the firewall box has 24 CPUs
and 32GB of memory, which ought to be enough for the task. Currently only
John has access to the new systems; until somebody else is hired, the
community needs to cross its fingers against the possibility of bus-related
accidents.
John asked what else the community needs from the new site. The ability to run hooks attached to git repositories was at the top of the list; a lot of people miss the mailing lists that carry notifications of new commits. The lists may come back; the more general hook capability may not. There was also talk of a new server for shell accounts, though it's not clear what that would be needed for. Shell accounts will never be returning to the systems that matter; if a box were set up for that purpose it would likely be, as Ted Ts'o put it, a "honeypot server."
Ted also talked about a security working group being created within the Linux Foundation. That group will look at the security of the kernel code and the processes that create it in the hope of coordinating security-related efforts and tightening things up.
With regard to processes, Dave Airlie asked if a kernel.org account would be required to push patches into the mainline. Or will GPG-signed emails be required? Linus answered that he'll not require signatures; the tools for checking them are still too painful to use. He would like automatic checking of signatures on git pulls; that feature may show up at some point in the future, and he may use it. Linus will also accept pull requests from hosts other than kernel.org, but with some constraints. He does not like public hosting services like github; it served well as an emergency fallback, but he ended up checking every single patch he pulled from there, a process which isn't going to happen during the merge window. So, he said, do not send github-based pull requests. Requests from other hosts known to be trusted - freedesktop.org was named - are OK. But they have to use the git protocol - no HTTP-based pulls will be considered.
In response to a question about the upcoming merge window, Stephen Rothwell noted that he is currently sitting on the second-largest linux-next repository ever seen. There are over 11,000 commits waiting to flood into the mainline once Linus starts pulling. And that is with a lot of old trees that may not have found their way back to kernel.org before Stephen went on vacation in mid-October.
In summary, it has been a difficult time for kernel.org, and the people involved are looking very tired. But we have been lucky in a sense: it was not a targeted attack that could have done us some real damage. But it was a wakeup call that has led to a much-needed redesign of the system and its support. Kernel.org in the future should be a much stronger and better-supported resource for the community.
Next: Tracing for large data centers
| Index entries for this article | |
|---|---|
| Kernel | Development tools/Infrastructure |
| Kernel | Security |
| Security | Free software infrastructure |
| Security | Kernel.org |
(Log in to post comments)
KS2011: Kernel.org report
Posted Oct 25, 2011 9:30 UTC (Tue) by Trou.fr (subscriber, #26289) [Link]
At least now security people will *maybe* be listened to a bit more carefully, at least I hope so.
KS2011: Kernel.org report
Posted Oct 25, 2011 10:01 UTC (Tue) by dgm (subscriber, #49227) [Link]
Kernel developers care a great deal about security, only not of the circus variety. CVE numbers and stuff do not make systems more secure, less bugs do.
And for what I can tell, people that say reasonable things do get listened to. Those just whoring for attention do tend to get ignored, though.
That language about "security people" is part of the problem. You're a contributor, or you're not. If you're soo cool that you need to distinguish yourself from the rest of the pack, maybe you should consider a career as a designer instead. The LKML will not give you the kind of reward you expect.
KS2011: Kernel.org report
Posted Oct 28, 2011 20:12 UTC (Fri) by giraffedata (guest, #1954) [Link]
Your implication is that they were wrong to ignore the security vulnerabilities in kernel.org before and right to worry about them now. The opposite could be true too. As the risk is not greater now than before this compromise, aren't kernel.org people overreacting?
This is the same thing that always perplexes me when a person starts wearing a seat belt because a celebrity died by not wearing one. It's hard to believe the person has significantly more information about the risks of driving beltless after that one death, but there's a lot of psychology involved.
Git hooks
Posted Oct 25, 2011 13:22 UTC (Tue) by jnareb (subscriber, #46500) [Link]
I wonder if it would be possible to have this back, securely...
Git hooks
Posted Oct 25, 2011 21:02 UTC (Tue) by gregkh (subscriber, #8) [Link]
If you strongly object to this, let me know, through email, and we can discuss it there.
Public Git hosting
Posted Oct 25, 2011 15:31 UTC (Tue) by bgilbert (subscriber, #4738) [Link]
And the prohibition against HTTP makes no sense to me at all.
Public Git hosting
Posted Oct 25, 2011 16:31 UTC (Tue) by dlang (guest, #313) [Link]
if someone is requesting a pull from a place that is known to have done user verification this isn't an issue.
note that this is not saying that you have to have an account on one of these trusted places to participate in kernel development. it's just the final layer (the lieutenants and maintainers sending their pull requests to Linus) that is has this requirement. This is so that Linus can trust the source he is pulling from, at the lower levels the patches are supposed to be validated more directly so there is less need for trust.
Public Git hosting
Posted Oct 25, 2011 19:38 UTC (Tue) by corbet (editor, #1) [Link]
As dlang said, it's a matter of authentication; how do you know that the repository really belongs to the person named in the pull request?About http, that's purely a performance thing. The git:// protocol is far more bandwidth-efficient than the git-over-http protocol.
Public Git hosting
Posted Oct 25, 2011 20:13 UTC (Tue) by obrakmann (subscriber, #38108) [Link]
Public Git hosting
Posted Oct 25, 2011 21:09 UTC (Tue) by dlang (guest, #313) [Link]
Public Git hosting
Posted Oct 26, 2011 0:46 UTC (Wed) by neilbrown (subscriber, #359) [Link]
All you really need to sign is the email requesting the 'pull' and make sure the hash of the commit is in that email and easy for Linus to either use directly or check.
Unfortunately I cannot ask Linus to
git pull git://myhost/path hash-tag-goes-here
because git doesn't want a hash-tag, it wants a refspec.
However if git-pull were changed to accept that, and git-request-pull were changed to output exactly the right 'git pull' command, then Linus could just verify the signature on the email (which I hope is email client is up to!) and use the command that is in it. Then it doesn't matter how secure the hosting provider is - if the pull succeeds, it can be trusted as much as the person who signed the email.
So yes: a little bit cumbersome, but not much.
Public Git hosting - pull request in signed email
Posted Oct 28, 2011 20:19 UTC (Fri) by giraffedata (guest, #1954) [Link]
All you really need to sign is the email requesting the 'pull' and ...
Isn't that (verifying that email signature) the part Linus says is too cumbersome?
I haven't personally ever known anyone to verify an email signature, and I'm pretty sure my email reader (Emacs Rmail) can't do it, so I don't know what's involved.
Public Git hosting - pull request in signed email
Posted Oct 28, 2011 21:16 UTC (Fri) by neilbrown (subscriber, #359) [Link]
The mail reader I use (clawsmail) verifies email signatures quite nicely, and will even fetch keys for me. I don't think it warns me when someone changes keys which is something I would like.
Even emacs/vm can check mail signing...
I assumed that the bits that were too cumbersome were the signing and verification built in to git-tag.
Public Git hosting
Posted Nov 3, 2011 1:06 UTC (Thu) by slashdot (guest, #22014) [Link]
As far as I can tell, most mail clients support GPG and will tell you whether an e-mail is signed by a trusted key.
If using a custom mail client, it should be very easy to invoke GPG appropriately to do that check.
Public Git hosting
Posted Oct 25, 2011 21:12 UTC (Tue) by jimparis (guest, #38647) [Link]
Surely the smart HTTP transport is fine?
Public Git hosting
Posted Oct 25, 2011 21:14 UTC (Tue) by corbet (editor, #1) [Link]
Linus did mention the smart protocol and say it was better. Unless the developer says that the server uses smart http, though, it's not evident from the pull request and Linus is likely to ignore it.
KS2011: Kernel.org report
Posted Oct 26, 2011 1:01 UTC (Wed) by kjp (guest, #39639) [Link]
KS2011: Kernel.org report
Posted Oct 26, 2011 2:09 UTC (Wed) by dlang (guest, #313) [Link]
it's been long enough since the kernel.org exploit for this process to have worked it's natural course.
KS2011: Kernel.org report
Posted Nov 2, 2011 1:32 UTC (Wed) by junkio (guest, #5743) [Link]
KS2011: Kernel.org report
Posted Oct 26, 2011 16:49 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
This definitely seems like an argument for working on tools to help users notice when this happens. Something relatively unintrusive would do the job, e.g. an icon like the "new mail" icon which blinks or something when your agent acts, and ideally provides information about when it last acted on behalf of a remote connection, which one, and using which key. This information about when the agent was used, and which key was used is definitely available internally, the rest I am less certain of.
KS2011: Kernel.org report
Posted Oct 28, 2011 11:26 UTC (Fri) by josh (subscriber, #17465) [Link]
KS2011: Kernel.org report
Posted Oct 28, 2011 11:28 UTC (Fri) by corbet (editor, #1) [Link]
Because a lot of existing keys were compromised and nobody wants to make guesses about which ones might be OK. SSH keys are cheap, why not replace them?
KS2011: Kernel.org report
Posted Oct 28, 2011 11:43 UTC (Fri) by josh (subscriber, #17465) [Link]
Replacing the SSH key doesn't seem crazy. However, maintaining a completely separate SSH key just for use on kernel.org causes quite a bit of additional complication and annoyance.
configure ssh identity by host
Posted Oct 28, 2011 17:16 UTC (Fri) by dmarti (subscriber, #11625) [Link]
configure ssh identity by host
Posted Oct 28, 2011 20:36 UTC (Fri) by nix (subscriber, #2304) [Link]
configure ssh identity by host
Posted Oct 31, 2011 10:54 UTC (Mon) by mp (subscriber, #5615) [Link]
configure ssh identity by host
Posted Oct 31, 2011 17:50 UTC (Mon) by nix (subscriber, #2304) [Link]
KS2011: Kernel.org report
Posted Oct 28, 2011 20:24 UTC (Fri) by giraffedata (guest, #1954) [Link]
Central signing will not be happening anymore; developers will need to sign files - with their own keys - before uploading them. The new web of trust will allow those signatures to be verified by others.
I don't get this part. Does the web of trust let one verify that the file was signed by a particular individual, or that it was signed by a trustworthy kernel developer? If it's just the former, it seems less valuable than the former automatic kernel.org signature.
KS2011: Kernel.org report
Posted Nov 8, 2011 17:25 UTC (Tue) by wookey (guest, #5501) [Link]
kernel.org no longer centrally signs submissions
Posted Nov 8, 2011 19:52 UTC (Tue) by giraffedata (guest, #1954) [Link]
Then am I right that the new system wherein developers sign files with their own keys is less valuable than the old one where they were signed by kernel.org automatically? I'm skeptical, but where am I wrong?With the new system, when I look at a file I know it came from some identifiable individual I don't know anything about. With the old one, I know it came from kernel.org. I know something about kernel.org. I know it's set up (and always has been) to tend not to accept garbage.
kernel.org no longer centrally signs submissions
Posted Nov 8, 2011 20:56 UTC (Tue) by raven667 (subscriber, #5198) [Link]
With the new system, when I look at a file I know it came from some identifiable individual I don't know anything about. With the old one, I know it came from kernel.org. I know something about kernel.org. I know it's set up (and always has been) to tend not to accept garbage.
If I understand correctly you don't have any reason to trust the old style kernel.org signature as it doesn't say anything about where the code came from or whether it is garbage or not since everything was automatically signed. All it told you is that the person who uploaded it had legitimate or illicit access to the kernel.org server, nothing more.
You could just assume trust for anything signed, which would be the same security posture as before. It'd be great if there were more easily accessible, clear and accurate documentation on how to do useful signature verification. I just checked the kernel.org signature page and it looked like it hasn't been updated in a decade.
kernel.org no longer centrally signs submissions
Posted Nov 8, 2011 21:56 UTC (Tue) by giraffedata (guest, #1954) [Link]
All it told you is that the person who uploaded it had legitimate or illicit access to the kernel.org server, nothing more.
It told me significantly more, because I know between those two possibilities, the legitimate access one is far more likely than the illicit access one. (If I didn't believe that, I never would have run anything I got directly from kernel.org on my computer).
kernel.org no longer centrally signs submissions
Posted Nov 8, 2011 23:41 UTC (Tue) by raven667 (subscriber, #5198) [Link]
kernel.org no longer centrally signs submissions
Posted Nov 9, 2011 0:24 UTC (Wed) by jimparis (guest, #38647) [Link]
kernel.org no longer centrally signs submissions
Posted Nov 9, 2011 2:49 UTC (Wed) by giraffedata (guest, #1954) [Link]
Thanks; that's exactly what I was thinking. The great advantage of a digital signature is that it gives you a basis for trusting something regardless of how it got to you. If I found a kernel by the side of the road, I'd say, "Hell yes, I'll put that on my server. I can see that kernel.org blessed this particular arrangement of bits at some point." But it would be ridiculous to say, "This looks OK. Somebody signed it."
The developer signature appears to serve an entirely different purpose from the kernel.org automatic signature (I suppose it is what tells kernel.org, which does know all the individuals, it's OK to take the code), but the article makes it sound like it is a replacement of -- and improvement on -- it.
kernel.org no longer centrally signs submissions
Posted Nov 9, 2011 3:11 UTC (Wed) by raven667 (subscriber, #5198) [Link]
Auto signing doesn't provide any more verification than an md5sum file which would probably be a better choice. When signatures are used people often assume a higher level of verification than really exists. Usually when releases are signed the private key is not publicly accessible and is on a separate device that only release approvers have access to, an offline workstation or smart card for example. That procedure can be a higher level of assurance that the bits you have are the right ones