On Tue, 1 Mar 2022 at 04:52, Whit Blauvelt <whit@xxxxxxxxxxxxx> wrote: > If this is not the right place to ask this, please redirect me. Hopefully it > is a known vulnerability, due to out of date software. We had a server > running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 What options did you configure it with? In particular, did you enable PAM? [...] > Either the /usr/bin/nologin or the "*" in the second field of /etc/shadow > should have been enough to prevent "Accepted password for backup." If you enabled PAM then that's a function of the PAM stack and its config. > The /usr/sbin/nologin is the standard version for that Ubuntu generation, > byte identical. Have you verified that the sshd has not been tampered with? > Adding this to sshd_config was effective: > DenyUsers backup > If that's still not the default for system-level users like "backup", would > adding it be a reasonble feature request? Or is that on the distros to > define their default sshd_config settings? That would be up to the distros. > The files in pam.d on the compromised system are standard. "standard" as in "vendor-supplied" or "as we normally set them"? > There's no public > key for "backup", and no ".ssh" folder in /var/backups. The intruder managed > to send out spam via the local postfix service, which is what made the > intrusion obvious. OSSEC (Wazuh) didn't spot anything. We've of course taken > the system offline. But we'd like to understand how that login by "backup" > was possible. I'd be having a very close look at the PAM config. I've seen multiple instances where a misconfigured PAM stack failed open and accepted either an empty password or any password. One instance also ended up being used for spam as you describe. You can use pam-test-harness.c (https://www.dtucker.net/patches/) to test your config. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
