LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   OpenSSH - Major Security Vulnerability (http://www.linuxquestions.org/questions/linux-security-4/openssh-major-security-vulnerability-24397/)

jeremy 06-26-2002 04:48 PM

OpenSSH - Major Security Vulnerability
 
The OpenSSH vulnerability has been disclosed and affects all recent versions.
Quote:

At least one major security vulnerability exists in many deployed OpenSSH versions (2.9.9 to 3.3). Please see the ISS advisory, or our own OpenSSH advisory on this topic where simple patches are provided for the pre-authentication problem. Systems running with UsePrivilegeSeparation yes or ChallengeResponseAuthentication no are not affected.

The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4.
Everyone should upgrade to 3.4p1 ASAP. You can also:
Code:

        Disable ChallengeResponseAuthentication in sshd_config.
        and
        Disable PAMAuthenticationViaKbdInt in sshd_config.

Alternatively you can prevent privilege escalation if you enable UsePrivilegeSeparation in sshd_config. More information is available here - http://www.openssh.com/txt/preauth.adv

--jeremy

wanvadder 06-27-2002 12:34 AM

for distro which is not using PAM, S/KEY and BSD_AUTH such as slackware is not vulnerable ( i guess )

ifm 06-27-2002 12:37 AM

"WARNING: Privilege separation user "sshd" does not exist"

During "make install" I got that above error. The docs hint as to nothing about aleviating such error, so I was wondering if anyone had a idea how to go about shutting that up?

Thanks.

unSpawn 06-27-2002 04:03 AM

"WARNING: Privilege separation user "sshd" does not exist"

Weird. Install shouldve added the privsep user, name sshd uid 74, IIRC.

unSpawn 06-27-2002 04:10 AM

for distro which is not using PAM, S/KEY and BSD_AUTH such as slackware is not vulnerable ( i guess )

AFAIK this seems correct. Any distro where OpenSSH 2.9> wasn't compiled with S/Key BSD_AUTH *seems* unaffected. The PAM ViaKbdInt usually seems compiled in, but will need to be enabled by the admin to work as it's disabled by default.

But if you're taking your statement as an argument to *not* upgrade OpenSSH, think again: "Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs" (ISS adv rev 2).

RefriedBean 06-27-2002 08:22 AM

Quote:

Originally posted by ifm
"WARNING: Privilege separation user "sshd" does not exist"

During "make install" I got that above error. The docs hint as to nothing about aleviating such error, so I was wondering if anyone had a idea how to go about shutting that up?

Thanks.

I get the same error.. Any ideas?

unSpawn 06-27-2002 11:33 AM

You mean adding the privsep user ("sshd" with uid 74 (IIRC)) didn't work? Then peruse the Makefile* around where you usually do "install" and it should say smptin about adduser.

*(or if youve ftp'ed the src.rpm un-rpm it for the spec, of mc the (src.)rpm)

ifm 06-27-2002 07:27 PM

heh
 
Nope, it doesnt make it. I thought it WOULD... most every other install package I have done adds its needed users. Hrm.

So I just sorta ... winged it:

echo "sshd:x:600:600:sshd:/:" >> /etc/passwd
echo "sshd:x:600:" >> /etc/group


I dont condone this action to any unsuspecting people... but it appears to allow the sshd deamon run now without throwing the error into logs. Your UID and GID milage may vary.

If anyone has any important issues with what I have done... PELASE SPEAK UP! I would love to know the proper way (couldnt find the information in any make files... may be due to my stupidity though).

unSpawn 06-27-2002 09:31 PM

Np, grepping tarball contents for the (u|g)id turns up:
./contrib/caldera/openssh.spec:%define sshd_uid 67
./contrib/redhat/openssh.spec:%define sshd_uid 74

Also README.privsep sez:
"You should do something like the following to prepare the privsep preauth environment:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd"

RefriedBean 06-27-2002 09:36 PM

Thanks for all your help guys!

But I found the patched version of openssh at ftp.slackware.com, in the slackware-current/patches directory,, it worked great!

Good Luck!
RefriedBean


All times are GMT -5. The time now is 04:38 AM.