bug in ssh allowing to be invissible

[greg () LIGHTING ML ORG (Grzegorz Stelmaszek)]

Hi,

Sorry, but maybe i'll resend this email (I was very sleepy while writing
prev leter).

Hi,

I have just discoverd that there is a bug in sshd allowing ordinary user
to be showed as not logged in while logged in. You should simply ssh to
remote host and run command "bash". One that's not so good, is that you
will not have the controlling terminal, but ...
Look at this:
---
debian:~# w
  9:51pm  up 10 min,  3 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
root     tty1                       9:41pm 12.00s  0.81s  0.63s  ssh -l
root     tty2                       9:44pm  6:30   0.22s  0.06s  ppf
root     tty3                       9:44pm  0.00s  0.26s  0.04s  w
debian:~# ssh -lgreg localhost /bin/bash
greg@127.0.0.1's password:
finger
Login     Name      Tty  Idle  Login Time   Office     Office Phone
root      root      *1         Apr 18 21:41
root      root      *2      6  Apr 18 21:44
root      root      *3         Apr 18 21:44
whoami
greg
---
This means that the potiential unprivialged user can use any account in
the system (hacked or so), and it's possible that root will not know what
is happening (or will know when it's too late ;-).

Vulnerable: all known by me ssh versions (<=1.2.26)
Solution: If this bug is as serious as i think i'll write a patch.

Regards,
        Greg

*******************************************************************************
* Grzegorz Stelmaszek        *       For my public PGP key finger
* greg () lighting ml org       *          greg () lighting ml org
* http://www.lighting.ml.org *
******************************