Re: Does a known security issue allow ssh login via system accounts?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 1 Mar 2022 at 04:52, Whit Blauvelt <whit@xxxxxxxxxxxxx> wrote:
> If this is not the right place to ask this, please redirect me. Hopefully it
> is a known vulnerability, due to out of date software. We had a server
> running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7

What options did you configure it with?  In particular, did you enable PAM?

[...]
> Either the /usr/bin/nologin or the "*" in the second field of /etc/shadow
> should have been enough to prevent "Accepted password for backup."

If you enabled PAM then that's a function of the PAM stack and its config.

> The /usr/sbin/nologin is the standard version for that Ubuntu generation,
> byte identical.

Have you verified that the sshd has not been tampered with?

> Adding this to sshd_config was effective:
>   DenyUsers backup
> If that's still not the default for system-level users like "backup", would
> adding it be a reasonble feature request? Or is that on the distros to
> define their default sshd_config settings?

That would be up to the distros.

> The files in pam.d on the compromised system are standard.

"standard" as in "vendor-supplied" or "as we normally set them"?

> There's no public
> key for "backup", and no ".ssh" folder in /var/backups. The intruder managed
> to send out spam via the local postfix service, which is what made the
> intrusion obvious. OSSEC (Wazuh) didn't spot anything. We've of course taken
> the system offline. But we'd like to understand how that login by "backup"
> was possible.

I'd be having a very close look at the PAM config.  I've seen multiple
instances where a misconfigured PAM stack failed open and accepted
either an empty password or any password.  One instance also ended up
being used for spam as you describe.

You can use pam-test-harness.c (https://www.dtucker.net/patches/) to
test your config.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux