Re: Does a known security issue allow ssh login via system accounts?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On Mon, 28 Feb 2022, Whit Blauvelt wrote:

> Hi,
> If this is not the right place to ask this, please redirect me. Hopefully it
> is a known vulnerability, due to out of date software. We had a server
> running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 which was compromised last
> week. The intruder managed to achieve this:
>   Feb 24 08:13:52 localhost sshd[32276]: Accepted password for backup from port 37962 ssh2
> This despite that /etc/passwd has:
>   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
> And /etc/shadow has:
>   backup:*:16359:0:99999:7:::

We're not aware of any security problems in OpenSSH 8.6 that could yield
access to a locked account like this.

On Ubuntu, OpenSSH delegates to PAM for password authentication and
verification of the user's shell against /etc/shells. You can check
whether this actually enabled using 'sudo sshd -T | grep ^usepam'

It sounds like you have already verified that your PAM configuration was
not tampered with, so that removes one possibility. Reviewing the Ubuntu
PAM configurations and the patches they apply to sshd seem to be prudent
next steps.

It's possible that the above log message was not from the initial
compromise, but rather the attacker running their own sshd to act as a
more reliable foothold.

Hopefully you're able to preseve and perform forensics on the host.
If there is evidence of a bug in sshd, then please send it to the
security bug reporting contact: openssh@xxxxxxxxxxx

Damien Miller
openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux