Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Locks Out Developers

Posted by ryuzaki0 on from the in-the-name-of-safety dept.

daria42 wrote in with an update to an earlier story about a Debian server that was compromised. He explains: "The Debian GNU/Linux project has discovered a compromised developer account was used to gain access to a server compromised this week. A local kernel vulnerability was then used to gain root access. Due to this, a number of developers with weak passwords have been locked out of their system accounts." To be fair, they'll most likely be let in once everything's back to normal. Of course, they'll probably need to set safer passwords too.

6 of 331 comments (clear)

  1. kernel exploited... by scum-e-bag · · Score: 4, Informative
    Schulze said the particular Linux vulnerability only
        exists in kernel versions:

    • 2.6.13 up to versions before 2.6.17.4
    • 2.6.16 up to versions before 2.6.16.24


        Schulze advised admins to upgrade their software if they were
        using these versions but said the current stable version of
        Debian was not affected as it run kernel 2.6.8.


    I guess this means that there are a lot of ubuntu users out there who are vunerable right now... how long for the patch?

    Also, the article seems to be a little out. Shouldn't it be just 2.6.12 -> 2.6.17.4 as this includes 2.6.16 -> 2.6.16.24
    --
    Does it go on forever?
    1. Re:kernel exploited... by scum-e-bag · · Score: 5, Informative

      According to the ubuntu-security-announce lists, the current up to date kernel version is 2.6.15-26.44 This was released 3 days ago, before the debian server compromise was announced. According to the zdnet report, this version falls within the exploitable.

      I made a mistake in my initial post, slip of finger, 2.6.13* not 2.6.12*

      --
      Does it go on forever?
  2. Re:Passwords by ozbird · · Score: 4, Informative

    John the Ripper most likely. Great tool - recovered the root password for a SGI box a friend bought on eBay in less than a second (your password may vary.)

  3. Accounts with bad passwords locked, not all by dondelelcaro · · Score: 5, Informative

    The story title is a bit misleading; only accounts with bad passwords or those who (for $DEITY knows what reason) appeared to have private keys on gluck were locked out. Everyone who has sane passwords and/or only uses ssh keys to log into their accounts still have access.

    Of course, anyone who could actually log in already knows this because they've read d-d-a (or have already logged in.) In any event, rather troubling that the PRCTL bug managed to find its way into the kernel, but good that the intrusion was caught relatively quickly and neutralized.

    --
    http://www.donarmstrong.com
  4. Re:Ah. balance by BecomingLumberg · · Score: 4, Informative

    Well, the parumutaions change depending on whether or not the program displays that you are correct with the first password. Cracking a 16 digit password would square the time it took to crack, where two eight digit passwords separatly would simply double it.

    --
    If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.-TJ
  5. Re:Ah. balance by aymanh · · Score: 4, Informative
    Talking about openssh's security, here's a vital patch:
    -PermitRootLogin yes
    +PermitRootLogin no

    A couple more:

    Protocol 2
    PermitEmptyPasswords no
    LoginGraceTime 2m
    MaxAuthTries 6

    And it's always a good idea to restrict SSH access to trusted IP addresses in /etc/hosts.allow.
    --
    python>>> q="'";s='q="%c";s=%c%s%c;print s%%(q,q,s,q)';print s%(q,q,s,q)