[ale] OpenSSH root vulnerability

John Mills jmmills at telocity.com
Mon Mar 11 08:06:51 EST 2002


Glenn, ALErs -

Re: SSH lockout after re-installation:
 Did you use (or not use) '--with-pam' properly with regard to your
system's login setup?

Did you install new ssh_config and sshd_config in /usr/local/etc?

Did you remove and replace the various keys:

# ls /usr/local/etc

ssh_host_key        ssh_host_key.pub        ssh_host_dsa_key
ssh_host_rsa_key    ssh_host_dsa_key.pub    ssh_host_rsa_key.pub

NOTE: Removing the old ones, 'make install and 'make host-key' does most
of that - just make sure the new ones are actually being used. (I.e.,
check the messages at installation, and open a local session.)

Can you get any response from starting 'sshd' in foreground?
 ('# <path>/sshd -d -D' [I just read that -didn't try it - YMMV.])

Is 'sshd' actually running on the servers? ('ps -aux |grep ssh')

Can you open an 'ssh' login locally (login on the server then do 'ssh
localhost')? (Expect a warning that the host key has changed, and that you
must confirm to proceed.)

I cut down my accepted protocols to v.2 only, so now I need new copies of
'puTTY' and 'Nifty-Telnet SSH' to login remotely. Did you change the
configuration?

Last but not least ('LBNL'?):
If you had shutdown SSH through your firewall, did you re-open it?

Sorry about the bruises - I got lucky at that point.

 - Mills

On Mon, 11 Mar 2002, Glenn C. Lasher Jr. wrote:

> HELP!!!!
> 
> I did the upgrade to all of my servers, and now they won't let me log in!
> 
> I do have physical access to them to log in on consoles, and log in via
> telnet from behind the firewall only, but I can't get any system to
> recognize 100%
> tried-no-less-than-twenty-times-to-do-this-and-then-did-it-in-one-shot-using-non-secure-methods
> passwords and logins, and SSH insists that the passwords are invalid.
> Please help!
 
 
> On Sun, 10 Mar 2002, John Mills wrote:
 
> > On Fri, 8 Mar 2002, Stuffed Crust wrote:
> >
> > > On Fri, Mar 08, 2002 at 12:42:23PM -0500, John Mills wrote:
> > [Tale of woe building openssh-3.1p1 from source tarball]
> >
> > > So, you need to upgrade to a newer versiopn of openssl.
> > > I built openssl 0.9.6b and openssh 3.1; RH 6.2 RPMs are at:
> >
> > Thanks - I have generally had better luck building these from sources,
> > rather than installing the RH rpms, and I had already downloaded
> > 'opesnssl-0.9.6c'
> >
> > I did get a few more flesh-wounds in the process, which I'll list here in
> > case it is helpful.
> >
> > I had no problem configuring, building, or installing openssl-0.9.6c,
> > except the usual quibble that the package expects you to configure and
> > build in the source tree. However, I couldn't get 'openssh-3.1p1' to
> > configure succesfully after that. Instead, I flailed around reconfiguring
> > until:
> >
> > 1) Configured openssl-0.9.6c with '--prefix=/usr/local' and
> > '--openssldir=/usr/local/openssl' <-- This seemed unneeded, but without
> > it, 'openssh-3.1p1/configure' couldn't "#include <openssl/rand.h>"
> >
> > 2) Linked the new 'libssl.*' and 'libcrypto*' into /usr/lib, where they
> > replaced older links to 'openssl-0.9.5' libs.
> >
> > 3) Now I was able to configure openssh-3.1p1 with the corresponding
> > '--with-ssl-dir=/usr/local/openssl' (as well as "--with-tcpwrappers
> > --with-pam, --with-md5-passwords" _ENOUGH_ARREADY_!!) , and built without
> > [further] incident.
> >
> > In order to run the new package, I had to remove the old ssh* utils, as
> > the were in a different and earlier PATH branch than the new versions,
> > then I removed their old support files from '/usr/local/ssl/etc', _reran_
> > 'make install' &8-P), did 'make host-key', and it seemed I was good to go.
> >
> > Did a little patching on '/etc/rc.d/init.d/sshd', and restarted sshd.
> >
> > First login from another box asked me to OK a new key, which I took as
> > confirming a successful installation.



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list