The OpenSSH Bug That Wasn't

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.

Spoiler

[bobstreo]

According to the article, it's a bug in PAM.

You shouldn't see this behaviour with SSH unless you have PAM authentication turned on. And apparently only in FreeBSD ?

  And as OpenBSD developer Marc Espie says in his message,

        Not surprisingly, as the patch clearly shows, the problem is right smack in the middle of USE_PAM code.

        I wouldn't call that an OpenSSH bug. I would call it a systemic design flaw in PAM. As usual. LOTS of security holes in authentication systems stem from PAM. Why ? Because that stuff is over designed. Difficult to configure. Gives you MORE than you need to hang yourself several times over. It's been that way for as long as I can remember.

Re:Spoiler

[Forever+Wondering]

I just tested this (I've got UsePAM yes in sshd_config) on fedora 21 and I only get three tries before disconnect. So, what's special about freebsd?

I love the attitude

[Sowelu]

I love the attitude of one of the anon commenters: if you don't know enough to configure every single security option on your system right out of the box, you shouldn't have your *nix machine hooked up to the internet. Truly, this is the year of *nix on the desktop.

Re:I love the attitude

[Bert64]

That's very true, and doesn't just apply to unix based systems... You should not be connecting a system to a public network unless you fully understand and control it, and windows is actually much worse in this regard because its massively more complicated than any unix.

Re:I love the attitude

[ogdenk]

If grandma knew how vulnerable she truly was the way a good sysadmin should, she'd cut the cords herself with a pair of sewing shears.

Re:I love the attitude

[DarkOx]

Generally I agree but if you are going to brute force knowing the user names are half the battle. root is one you know will be there and its a valuable one if you could get it.

I never try and brute force passwords on pentests. I usually brute force user names with a handful of bad passwords. That is once I work out how user names are constructed fist letter first name last name or whatever is being used. I'll dictionary like this:

asmith:password1
asmith:P@$$w0rd
asmith:Summer2015!
bsmith:password1
bsmith:P@$$w0rd
bsmith:Summer2015!

If the organization is big enough someone has used one of the top 100 worst passwords. Hopefully its not a sysadmin.

Then it comes the issue of the root account being shared. No nobody should ever be allowed to logon as root directly. Why because than you have no accountability. Was it Jim, Bob, Ted, or Sally who did that? I don't know. On the other hand if you have some kind of secure logging in place and you make people logon with their own account you at least have the log entry of who did sudo or su. Attribution is important!

Finally if Bob leaves the company yes the root password needs to be changed. Sometimes though there are reasons you can't immediately do that. Usually these are problems in and of themselves but that is neither here nor there. It should be safe to disable or delete Bobs account the moment he walks out the door. If root logins are not allowed you will be 'mostly' even if it takes Sally a few days to change the root password everywhere.

No it's a bug in OpenSSH

[pavon]

It is a bug in OpenSSH misusing PAM. They argue that these sorts of bugs wouldn't be as easy to make if PAM was less complicated, which is certainly true, but it is still a bug in OpenSSH.

fixing the configuration is trivial

[El_Muerte_TDS]

> fixing the configuration is trivial

So trivial that the suggested configuration change is not mentioned anywhere.

However the attitude above is broken

[dbIII]

disabling root logins has no security benefit at al

Of course it does. That former employee that knows the root password or has the keys can't get to it. The current employee that fat fingers a command to the wrong host can't do much damage. That thief with a stolen laptop can't use a key to get full access remotely. There is a very very long list and it's just inexperience, laziness or lack of sleep that's stopping you from thinking of entries in it.

Re:It may not be an OpenSSH bug ...

[Demonoid-Penguin]

That's because your parser's broken.

No, my parser is fine. Your's matches your usename - that is just a pseudonym, right?

... but still, if PAM is configured with OpenSSH, a PAM bug may sometimes be mis-identified to be an OpenSSH bug

Then it's not an OpenSSH bug. (and that's not English)

No matter if it's a PAM bug or an OpenSSH bug, a but report which points out a vulnerability is good thing for the community

(assuming the coward means "bug report"). No - it's a waste of limited resources. Big scare about an insecurity in OpenSSH which did not exist

"King Cope" posted to the Full Disclosure mailing list Fri, 17 Jul 2015 21:23:36 +0000 (UTC) (according to my email system) with an exploit

ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x
10000'` targethost

and "a patch for openssh-6.9p1 that will allow to use a wordlist and any passwords piped to the ssh process to be used in order to crack passwords remotely.". By applying the patch it allows an attacker to try as many attacks as possible within the gracetime (2 minutes). The best case scenario allows an estimated 10000 attempts in that time period.

I only read it because he's usually good for a laugh, or, as is this case, a face-palm.

Which might brute force a very short (stupid) password that would fall to a small, lucky, dictionary attack. Which is why BP is to use a key.

He mentions in that email that it has been "tested against a new FreeBSD 10.1 system and older FreeBSD versions such as version 6.2.".

something that will allow the users to tighten up their configuration to deny that bug from being able to function in the first place

Tighten up what? Their SSH configurations? It is a bug in PAM that is restricted to small range of BSD versions.
Tightening up SSH, which is already as tight as it can be against the exploit unless you deliberately loosened it (as Sex Conker would recommend - but he's an idiot). Default configurations already stop the exploit (no root ssh login, all ssh logins with keys).

The exploit would only affect insecure systems that use piss poor password security - and even then only on a limited number of BSD systems.

That belief is a broken as the idea that if there's a story a cigarette lighter exploded, which causes a panic about cigarette lighters, and calls for a recall of them - turns out to be a case of someone in petrol soaked pants being injured when the cigarette lighter in their pocket exploded as a result of them falling out of a building and landing on their arse. Unfortunately they had a box of matches in the back pocket which exploded on impact, setting fire to their pants - the heat of the flames caused the cigarette lighter to explode.

The moral of the story is not - oh the panic about cigarette lighters exploding was a good thing.
It would have been a "good thing" if that energy was spent on warning people of the dangers of wearing petrol pants and falling out of windows.

It would be a "good thing" if people focused on the actual bug in PAM instead of trying to justify their earlier panic (the sky is not falling).

The coward that wrote that gibberish you're defending , who is obviously not you, is referring to what bug report?Hint: there was none, just another of King Cope's self-promoting and inflated security exploits (he also thinks robots.txt is a security hole). You fell for it, get over it.

Re:It may not be an OpenSSH bug ...

[Hognoxious]

No, my parser is fine. Your's matches your usename

Luckily I just ordered a new pack of needles for my irony meter.