On Tue, 2005-02-15 at 14:11 -0800, Scott Becker wrote: > I've already set a proper password but on a twin testing machine the !!s > are there, before and after running my setup commands to change the > shell. Here's the top of message with the login and logout lines: > Feb 13 06:36:09 backup sshd(pam_unix)[422]: authentication failure; > logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=dsl-82-199-133-138.dutchdsl.nl user=apache > Feb 13 06:36:17 backup sshd(pam_unix)[425]: session opened for user > apache by (uid=48) > Feb 13 06:53:58 backup named[31607]: lame server resolving > '173.4.248.61.in-addr.arpa' (in '4.248.61.in-addr.arpa'?): 203.240.193.11#53 > Feb 13 06:53:58 backup named[31607]: lame server resolving > '173.4.248.61.in-addr.arpa' (in '4.248.61.in-addr.arpa'?): 203.251.201.1#53 > Feb 13 07:00:44 backup sshd(pam_unix)[425]: session closed for user apache The problem is that I don't see how anyone could login using ssh to account with !! in /etc/shadow. I have to suppose that there were nothing instead of !! and then the login could succeed - the attacker would first try no password which wouldn't be allowed if PermitEmptyPassword is set to 'no' in /etc/ssh/sshd_config and then he would try any password and he would be allowed in. What versions of pam and openssh do you have? -- Tomas Mraz <tmraz@xxxxxxxxxx>
