Slashdot Mirror

← Back to Stories (view on slashdot.org)

The OpenSSH Bug That Wasn't

Posted by timothy on from the or-only-kind-of-is dept.

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.

4 of 55 comments (clear)

  1. Re:Spoiler by Forever+Wondering · · Score: 3, Interesting

    I just tested this (I've got UsePAM yes in sshd_config) on fedora 21 and I only get three tries before disconnect. So, what's special about freebsd?

    --
    Like a good neighbor, fsck is there ...
  2. Re:I love the attitude by Bert64 · · Score: 3, Interesting

    That's very true, and doesn't just apply to unix based systems... You should not be connecting a system to a public network unless you fully understand and control it, and windows is actually much worse in this regard because its massively more complicated than any unix.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  3. Re:I love the attitude by ogdenk · · Score: 3, Interesting

    If grandma knew how vulnerable she truly was the way a good sysadmin should, she'd cut the cords herself with a pair of sewing shears.

  4. Re:I love the attitude by DarkOx · · Score: 3, Interesting

    Generally I agree but if you are going to brute force knowing the user names are half the battle. root is one you know will be there and its a valuable one if you could get it.

    I never try and brute force passwords on pentests. I usually brute force user names with a handful of bad passwords. That is once I work out how user names are constructed fist letter first name last name or whatever is being used. I'll dictionary like this:

    asmith:password1
    asmith:P@$$w0rd
    asmith:Summer2015!
    bsmith:password1
    bsmith:P@$$w0rd
    bsmith:Summer2015!

    If the organization is big enough someone has used one of the top 100 worst passwords. Hopefully its not a sysadmin.

    Then it comes the issue of the root account being shared. No nobody should ever be allowed to logon as root directly. Why because than you have no accountability. Was it Jim, Bob, Ted, or Sally who did that? I don't know. On the other hand if you have some kind of secure logging in place and you make people logon with their own account you at least have the log entry of who did sudo or su. Attribution is important!

    Finally if Bob leaves the company yes the root password needs to be changed. Sometimes though there are reasons you can't immediately do that. Usually these are problems in and of themselves but that is neither here nor there. It should be safe to disable or delete Bobs account the moment he walks out the door. If root logins are not allowed you will be 'mostly' even if it takes Sally a few days to change the root password everywhere.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html