Bugtraq mailing list archives
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
From: "Jen B." <jen () sedition org>
Date: Sat, 21 Jul 2001 04:47:53 -0400 (EDT)
<from SSH's advisory>
in SSH Secure Shell 3.0.0, for Unix only, concerning accounts with password fields consisting of two or fewer characters.
I've tested this on a few machines that I recently upgraded and have a nit to pick the "or fewer" portion of this statement. It's quite late here and I feel I am stating the elementary, further comments and corrections would be very helpful. On RH 6.2 some of the password fields are nulled in /etc/shadow with "*" and some with "!!" The only accounts vulnerable to this bug were the ones using "!!" or any other two-character combinations that I tried. I replaced the offending accounts with a single character and was unable to login with the "ease" that I had before. I tested on Debian 2.2 and RedHat 6.2. It is worth noting that Debian does NOT null logins in /etc/shadow using two characters by default like Red Hat. btw, I also tested on FreeBSD-4.2 and was unable to login without providing the proper password regardless of the number of characters I had in the password field. -Jen jen () sedition org debian:~# telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-3.0.0 SSH Secure Shell (non-commercial) Connection closed by foreign host. debian:~# uname -a Linux debian 2.4.6-pre3 #4 SMP Tue Jun 26 12:34:37 EST 2001 ppc unknown debian:~# cat /etc/shadow | grep irc irc:!!:11498:0:99999:7::: debian:~# ssh -l irc localhost irc's password: Authentication successful. Last login: Sat Jul 21 2001 01:44:01 -0500 No mail. irc@debian:~$ debian:~# vi /etc/shadow ... debian:~# cat /etc/shadow | grep irc irc:!:11498:0:99999:7::: debian:~# ssh -l irc localhost irc's password: irc's password: irc's password: warning: Authentication failed. Disconnected; no more authentication methods available (No further authentication methods available.).
Current thread:
- URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 20)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Dan Kaminsky (Jul 20)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Dale Southard (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Nate Eldredge (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Brandon S. Allbery KF8NH (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Dale Southard (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Michal Zalewski (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 j (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Trond Eivind Glomsrød (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Jen B. (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Marcus Meissner (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Florian Weimer (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Thomas Roessler (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Lucian Hudin (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Sports (Jul 24)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Seth Arnold (Jul 24)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Thomas Roessler (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Dan Kaminsky (Jul 20)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Marcin Zurakowski (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Brian Carpio (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Brian Carpio (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Jaime BENJUMEA (Jul 23)