---

Home Infrastructure

FreeBSD Security Advisory: FreeBSD-SA-00:30.openssh

By

Date: Wed, 5 Jul 2000 16:12:36 -0700
From: FreeBSD Security Advisories
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:30.openssh

-----BEGIN PGP SIGNED MESSAGE-----


FreeBSD-SA-00:30                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          OpenSSH UseLogin directive permits remote root access

Category:       core
Module:         openssh
Announced:      2000-07-05
Credits:        Markus Friedl 
Affects:        FreeBSD 4.0-RELEASE, FreeBSD 4.0-STABLE and 5.0-CURRENT
                prior to the correction date
Corrected:      2000-06-11
Vendor status:  Disclosed vulnerability.
FreeBSD only:   NO

I. Background

OpenSSH is an implementation of the SSH1 (and SSH2 in later
versions) secure shell protocols for providing encrypted and
authenticated network access, which is available free for
unrestricted use.

II. Problem Description

The sshd server is typically invoked as root so it can manage
general user logins. OpenSSH has a configuration option, not
enabled by default (“UseLogin”) which specifies that user logins
should be done via the /usr/bin/login command instead of handled
internally.

OpenSSH also has a facility to enable remote users to execute
commands on the server non-interactively. In this case, the
UseLogin directive fails to correctly drop root privileges before
executing the command, meaning that remote users without root
access can execute commands on the local system as root.

Note that with the default configuration, OpenSSH is not
vulnerable to this problem, and this option is not needed for the
vast majority of systems.

OpenSSH is installed if you chose to install the ‘crypto’
distribution at install-time or when compiling from source, and you
either have the international RSA libraries or installed the RSAREF
port.

III. Impact

If your sshd configuration was modified to enable the ‘UseLogin’
directive then remote users with SSH access to the local machine
can execute arbitrary commands as root.

IV. Workaround

Set ‘UseLogin No’ in your /etc/ssh/sshd_config file and restart
the SSH server by issuing the following command as root:

# kill -HUP `cat /var/run/sshd.pid`

This will cause the parent process to respawn and reread its
configuration file, and should not interfere with existing SSH
sessions.

Note that a bug in sshd (discovered during preparation of this
advisory, fixed in FreeBSD 5.0-CURRENT and 4.0-STABLE as of
2000-07-03) means that it will fail to restart correctly unless it
was originally invoked with an absolute path (i.e. “/usr/sbin/sshd”
instead of “sshd”). Therefore you should verify that the server is
still running after you deliver the HUP signal:

# ps -p `cat /var/run/sshd.pid`
  PID  TT  STAT      TIME COMMAND
 2110  ??  Ss     0:00.97 /usr/sbin/sshd

If the server is no longer running, restart it by issuing the
following command as root:

# /usr/sbin/sshd

V. Solution

One of the following:

1) Upgrade to FreeBSD 4.0-STABLE or 5.0-CURRENT after the
correction date. Note that these versions of FreeBSD contain a
newer version of OpenSSH than was in 4.0-RELEASE, version 2.1,
which provides enhanced functionality including support for the
SSH2 protocol and DSA keys.

2) Save this advisory as a file and extract the relevant patch
for your version of FreeBSD, or download the relevant patch and
detached PGP signature from the following location:

# fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch

# fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch.asc

Verify the detached signature using your PGP utility.

Issue the following commands as root:

# cd /usr/src/crypto/openssh
# patch -p < /path/to/patch/or/advisory
# cd /usr/src/secure/lib/libssh
# make all
# cd /usr/src/secure/usr.sbin/sshd
# make all install
# kill -HUP `cat /var/run/sshd.pid`

See the note in the “Workarounds” section about verifying that
the sshd server is still running.

VI. Patch

   Index: sshd.c
   ===================================================================
   RCS file: /home/ncvs/src/crypto/openssh/sshd.c,v
   retrieving revision 1.6
   diff -u -r1.6 sshd.c
   --- sshd.c   2000/03/09 14:52:31     1.6
   +++ sshd.c   2000/07/04 03:40:46
   @@ -2564,7 +2564,13 @@
        char *argv[10];
    #ifdef LOGIN_CAP
        login_cap_t *lc;
   +#endif

   +    /* login(1) is only called if we execute the login shell */
   +    if (options.use_login && command != NULL)
   +            options.use_login = 0;
   +
   +#ifdef LOGIN_CAP
        lc = login_getpwclass(pw);
        if (lc == NULL)
                lc = login_getclassbyname(NULL, pw);

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOWPAn1UuHi5z0oilAQEt8QP+KlhsdMVqBjI6mhO/opnpIr+vFo5zxu4R
rhPwSfyXf/ufRPcJbiQFjBlHwQWaOnt2N3w6MJYI4qNySPHmqIa1Cnxv8Em0K/ke
wdFr8sXOZiqgBbu1aJRSsB+5Vc/TQFdHcY/QGwpUIUGYkDvEYcp46iDpQgiS41BW
9hRgZIgcigo=
=nEJ0
-----END PGP SIGNATURE-----

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.