Bugtraq mailing list archives

Re: SSH 1.x and 2.x Daemon

From: jkb () BEST COM (Jan B. Koum)
Date: Sun, 24 Jan 1999 14:39:30 -0800


        This is not the case with ssh 1.1.26 running on FreeBSD 2.2.8
        If I expire an account:
        Expire [month day year]: January 1, 1999
        Then when I try to ssh in I just get:
        Permission denied.

-- Yan

On Sat, Jan 23, 1999 at 05:06:44PM -0500, KuRuPTioN <kuruption () CHA0S COM> wrote:

There seems to be incomplete code in the SSH daemon in both versions 1.2.27
and 2.0.11 (only tested).  The bug simply allows users who with expired
accounts (in /etc/shadow) to continue to login even though other such
services such as ftp and telnet deny access.  Here is the log using 1.2.27
(but the same happens with 2.0.11).

[root@epicenter /etc]# chage -l lamer
Minimum:        3
Maximum:        30
Warning:        5
Inactive:       -1
Last Change:            Jan 01, 1999
Password Expires:       Jan 31, 1999
Password Inactive:      Never
Account Expires:        Jan 22, 1999
[root@epicenter /etc]# date
Sat Jan 23 13:57:51 PST 1999
[root@epicenter /etc]# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
login: lamer
Password:
Your account has expired.  Please contact the system administrator.
Connection closed by foreign host.
[root@epicenter /etc]# ssh1 -l lamer localhost
lamer@127.0.0.1's password:
No mail.
(lamer@epicenter) lamer>

.......

Now I wanted to try whether the account expiration worked using SSH, and it
does.  If a user's password has expired, then SSH will prompt following the
login for the user to enter a new password and disconnect them if they fail
to (like a telnet would).

I have reported this problem to the SSH bug e-mail address about 2 weeks ago
with no response.

Current System Configuration:
Linux 2.0.36
Shadow Utilities 980724
SSH 1.2.27 and 2.0.11 (both daemons)

Any solutions (patch?) to this problem would be appreciated.  Currently I
just run a shell script to change the user's shell to deny them, but this
shouldn't be necessary since this is one of the listed features of the
Shadow Utilities.

Thanks.
Raymond T Sundland

Current thread:

WebRamp M3 remote network access bug, (continued)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
  - Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
  - Perl.exe and IIS security advisory mnemonix (Jan 22)
    - Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
    - Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
    - Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
    - IIS Advisory Update Marc (Jan 24)
- backdoored tcp wrapper source code Wietse Venema (Jan 21)
  - Re: backdoored tcp wrapper source code John Stange (Jan 23)
    - SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)
    - Re: SSH 1.x and 2.x Daemon Jan B. Koum (Jan 24)
    - Re: SSH 1.x and 2.x Daemon Linux Mailing Lists (Jan 25)
    - Re: SSH 1.x and 2.x Daemon KuRuPTioN (Jan 25)
    - Re: SSH 1.x and 2.x Daemon Alan Olsen (Jan 24)
    - baynetworks router DoS Virsoft (Jan 25)
    - Re: baynetworks router DoS Neale Banks (Jan 26)
    - 2.2.0 SECURITY (fwd) Aaron Lehmann (Jan 26)
    - IBM CICS Universal Client 3.x Rude Yak (Jan 27)
    - Re: SSH 1.x and 2.x Daemon Yutaka OIWA (Jan 25)
    - Call for Papers: UNIX AND WINDOWS NT Fred Donck (Jan 25)
    - New IE4 privacy issue aleph1 () UNDERGROUND ORG (Jan 25)

(Thread continues...)