Bugtraq mailing list archives
Re: sshd and pop/ftponly users incorrect configuration
From: schaefer () ALPHANET CH (Marc SCHAEFER)
Date: Tue, 15 Feb 2000 15:44:08 +0100
On Tue, 15 Feb 2000, Nick Lamb wrote:
1. Is this a bug (which will be or has already been fixed in OpenSSH)
it's a bug, a feature, and a misconfiguration. The bug is SSH issuing local redirecting connections with root. This was presumably fixed in OpenSSH. The feature allowing to open connections coming from localhost for valid (with a shell) users is a feature, and the misconfiguration is forgetting DenyGroups on users supposing not to be able to log in except e.g. for mail. The real issue is however the common misconception that setting /bin/false to a user shell to prevent it to login while still allowing reading POP mail and FTP is enough to prevent the user from issuing local-issued connections to services. The impact is clear: bypassing firewalling, or hosts.deny. Additionnally it will create fake IDENT (but that's a ssh feature, it seems).
2. Does PAM provide any immunity? If the user should be locked out of SSH by PAM (as in the Linux OpenSSH ports) then will this
If the user is refused by ssh authentification (be it because it's firewalled, DenyGroupsed, invalid password or PAM), you are safe. Noone we talk about breaking passworded accounts.
Current thread:
- sshd and pop/ftponly users incorrect configuration Marc SCHAEFER (Feb 11)
- Re: sshd and pop/ftponly users incorrect configuration CDI (Feb 14)
- Re: sshd and pop/ftponly users incorrect configuration Theo de Raadt (Feb 15)
- <Possible follow-ups>
- Re: sshd and pop/ftponly users incorrect configuration Marc SCHAEFER (Feb 15)