LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-26-2002, 04:48 PM   #1
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,390

Rep: Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626
OpenSSH - Major Security Vulnerability


The OpenSSH vulnerability has been disclosed and affects all recent versions.
Quote:
At least one major security vulnerability exists in many deployed OpenSSH versions (2.9.9 to 3.3). Please see the ISS advisory, or our own OpenSSH advisory on this topic where simple patches are provided for the pre-authentication problem. Systems running with UsePrivilegeSeparation yes or ChallengeResponseAuthentication no are not affected.

The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4.
Everyone should upgrade to 3.4p1 ASAP. You can also:
Code:
        Disable ChallengeResponseAuthentication in sshd_config.
	and
        Disable PAMAuthenticationViaKbdInt in sshd_config.
Alternatively you can prevent privilege escalation if you enable UsePrivilegeSeparation in sshd_config. More information is available here - http://www.openssh.com/txt/preauth.adv

--jeremy
 
Old 06-27-2002, 12:34 AM   #2
wanvadder
LQ Newbie
 
Registered: Jul 2001
Location: Malaysia
Distribution: Redhat, NetBSD, OpenBSD
Posts: 4

Rep: Reputation: 0
for distro which is not using PAM, S/KEY and BSD_AUTH such as slackware is not vulnerable ( i guess )
 
Old 06-27-2002, 12:37 AM   #3
ifm
Member
 
Registered: Jun 2002
Location: USA
Distribution: RH7.3 & YDL2.1
Posts: 124

Rep: Reputation: 15
Unhappy

"WARNING: Privilege separation user "sshd" does not exist"

During "make install" I got that above error. The docs hint as to nothing about aleviating such error, so I was wondering if anyone had a idea how to go about shutting that up?

Thanks.
 
Old 06-27-2002, 04:03 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,306
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
"WARNING: Privilege separation user "sshd" does not exist"

Weird. Install shouldve added the privsep user, name sshd uid 74, IIRC.
 
Old 06-27-2002, 04:10 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,306
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
for distro which is not using PAM, S/KEY and BSD_AUTH such as slackware is not vulnerable ( i guess )

AFAIK this seems correct. Any distro where OpenSSH 2.9> wasn't compiled with S/Key BSD_AUTH *seems* unaffected. The PAM ViaKbdInt usually seems compiled in, but will need to be enabled by the admin to work as it's disabled by default.

But if you're taking your statement as an argument to *not* upgrade OpenSSH, think again: "Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs" (ISS adv rev 2).
 
Old 06-27-2002, 08:22 AM   #6
RefriedBean
Member
 
Registered: Jun 2002
Location: N 37 33.327 E 126 55.650
Distribution: Gentoo, Slackware, OpenZaurus
Posts: 186

Rep: Reputation: 30
Quote:
Originally posted by ifm
"WARNING: Privilege separation user "sshd" does not exist"

During "make install" I got that above error. The docs hint as to nothing about aleviating such error, so I was wondering if anyone had a idea how to go about shutting that up?

Thanks.
I get the same error.. Any ideas?
 
Old 06-27-2002, 11:33 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,306
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
You mean adding the privsep user ("sshd" with uid 74 (IIRC)) didn't work? Then peruse the Makefile* around where you usually do "install" and it should say smptin about adduser.

*(or if youve ftp'ed the src.rpm un-rpm it for the spec, of mc the (src.)rpm)
 
Old 06-27-2002, 07:27 PM   #8
ifm
Member
 
Registered: Jun 2002
Location: USA
Distribution: RH7.3 & YDL2.1
Posts: 124

Rep: Reputation: 15
heh

Nope, it doesnt make it. I thought it WOULD... most every other install package I have done adds its needed users. Hrm.

So I just sorta ... winged it:

echo "sshd:x:600:600:sshd:/:" >> /etc/passwd
echo "sshd:x:600:" >> /etc/group


I dont condone this action to any unsuspecting people... but it appears to allow the sshd deamon run now without throwing the error into logs. Your UID and GID milage may vary.

If anyone has any important issues with what I have done... PELASE SPEAK UP! I would love to know the proper way (couldnt find the information in any make files... may be due to my stupidity though).
 
Old 06-27-2002, 09:31 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,306
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
Np, grepping tarball contents for the (u|g)id turns up:
./contrib/caldera/openssh.spec:%define sshd_uid 67
./contrib/redhat/openssh.spec:%define sshd_uid 74

Also README.privsep sez:
"You should do something like the following to prepare the privsep preauth environment:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd"
 
Old 06-27-2002, 09:36 PM   #10
RefriedBean
Member
 
Registered: Jun 2002
Location: N 37 33.327 E 126 55.650
Distribution: Gentoo, Slackware, OpenZaurus
Posts: 186

Rep: Reputation: 30
Lightbulb

Thanks for all your help guys!

But I found the patched version of openssh at ftp.slackware.com, in the slackware-current/patches directory,, it worked great!

Good Luck!
RefriedBean
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IYO(in your opinion) Best security/vulnerability Mailing list MitchM99 Linux - Security 6 10-04-2005 10:33 PM
Firefox/Javascript security vulnerability...... BajaNick General 2 04-12-2005 09:22 AM
Removing security features of apache = vulnerability? MooCows Linux - Security 1 12-30-2004 08:54 AM
Security: Java plugin vulnerability!! peacebwitchu Linux - Security 0 11-25-2004 05:48 PM
downloading fix for recent security vulnerability - RH v2.1 AS joeslazenger Linux - Security 1 12-03-2003 02:24 PM


All times are GMT -5. The time now is 11:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration