Hi, If this is not the right place to ask this, please redirect me. Hopefully it is a known vulnerability, due to out of date software. We had a server running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 which was compromised last week. The intruder managed to achieve this: Feb 24 08:13:52 localhost sshd[32276]: Accepted password for backup from 5.161.47.185 port 37962 ssh2 This despite that /etc/passwd has: backup:x:34:34:backup:/var/backups:/usr/sbin/nologin And /etc/shadow has: backup:*:16359:0:99999:7::: Either the /usr/bin/nologin or the "*" in the second field of /etc/shadow should have been enough to prevent "Accepted password for backup." The /usr/sbin/nologin is the standard version for that Ubuntu generation, byte identical. Adding this to sshd_config was effective: DenyUsers backup If that's still not the default for system-level users like "backup", would adding it be a reasonble feature request? Or is that on the distros to define their default sshd_config settings? The files in pam.d on the compromised system are standard. There's no public key for "backup", and no ".ssh" folder in /var/backups. The intruder managed to send out spam via the local postfix service, which is what made the intrusion obvious. OSSEC (Wazuh) didn't spot anything. We've of course taken the system offline. But we'd like to understand how that login by "backup" was possible. Thanks for any pointers. It's hard to google for this, due to "backup" being such a generic term. Whit _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
