---

FreeBSD Security Advisory: Module: ssh

Date: Wed, 7 Jun 2000 17:17:16 -0700
From: FreeBSD Security Advisories security-advisories@freebsd.org

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:21.ssh
[REVISED]

FreeBSD-SA-00:21                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          ssh port listens on extra network port [REVISED]

Category:       ports
Module:         ssh
Announced:      2000-06-07
Credits:        Jan Koum jkb@best.com
Affects:        Ports collection.
Corrected:      2000-04-21
FreeBSD only:   Yes

I. Background

SSH is an implementation of the Secure Shell protocol for
providing encrypted and authenticated communication between
networked machines.

II. Problem Description

A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly
configured the SSH daemon to listen on an additional network port,
722, in addition to the usual port 22. This change was made as part
of a patch to allow the SSH server to listen on multiple ports, but
the option was incorrectly enabled by default.

This may cause a violation of security policy if the additional
port is not subjected to the same access-controls (e.g.
firewallling) as the standard SSH port.

Note this is not a vulnerability associated with the SSH
software itself, and it is not likely to be a risk for the majority
of installations, since a remote user must still have valid SSH
credentials in order to access the SSH server on the alternate
port. The risk is that users may be able to access the SSH server
from IP addresses which are prohibited to connect to the standard
port.

The ssh port is not installed by default, nor is it “part of
FreeBSD” as such: it is part of the FreeBSD ports collection, which
contains over 3300 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

FreeBSD 4.0 ships with OpenSSH, a free implementation of the SSH
protocol, included within the base system. OpenSSH does not suffer
from this misconfiguration.

III. Impact

Remote users with valid SSH credentials may access the ssh
server on a non-standard port, potentially bypassing IP address
access controls on the standard SSH port.

If you have not chosen to install the ssh port/package, or
installed it prior to 2000-01-14 or after 2000-04-21, then your
system is not vulnerable to this problem.

IV. Workaround

One of the following:

1) Comment out the line “Port 722” in /usr/local/etc/sshd_config
and restart sshd

2) Add filtering rules to your perimeter firewall, or on the
local machine (using ipfw or ipf) to limit connections to port
722.

3) Deinstall the ssh port/package, if you you have installed
it.

V. Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the ssh
port.

2) download a new port skeleton for the ssh port from:

http://www.freebsd.org/ports/

and use it to rebuild the port. Note that packages are not
provided for the ssh port.

3) Use the portcheckout utility to automate option (2) above.
The portcheckout port is available in /usr/ports/devel/portcheckout
or the package can be obtained from:


ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

VI. Revision History

v1.0 2000-06-07 Initial release
v1.1 2000-06-07 Corrected typo in name of sshd config file

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis