[REDHAT] Re: OpenSSH bug workaround *NOT NEEDED* (fwd)
Matthew J. Brodeur
mbrodeur at NextTime.com
Thu Jun 27 09:30:01 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 27 Jun 2002, John Chambers wrote:
>
> Another reason you might want to wait: I tried installing 3.3 on my
> home machine.
Don't look now, but the latest version is now 3.4. :)
The difference between 3.3 and 3.4 seems to be that the vulnerability
was avoidable in 3.3, whereas in 3.4 it's actually been fixed.
> I can now ssh out, but incoming connections all get "Permission denied"
> after I type the password, and /var/log/messages gets a "Failed password
> for jc from 64.28.81.46 port 46127 ssh2" type message.
What distro (or *nix flavor) is this? My gut reaction is that it's a
PAM or shadow password issue. If it's Red Hat, or probably any RPM based
system, the RPM spec file has the right build flags. If it isn't, you'll
have to make sure that you have the right "--with-pam" or "--with-shadow"
arguments to configure.
> One curiosity is that, which the sshd user and group exist, I don't seem
> to see ~sshd, i.e., /home/sshd/. I wonder if that could be a problem.
User "sshd" should have a home dir of /var/empty, which is exactly
that, empty. This is the chroot jail for the sshd process.
> Well, that did change things. Now I don't even get prompted for a
> password. The ssh command instandly says "Connection closed" and
> /var/log/messages says:
>
> Jun 27 09:10:06 kendy sshd[2328]: fatal: mmap(65536): Invalid argument
Find the line in /etc/ssh/sshd_config that reads:
# Compression yes
and change it to:
Compression no
If you're running a 2.2 kernel you can't have PrivSep and Compression
at the same time. I don't really know why, but that's the case.
> Since this has to do with UsePrivilegeSeparation, I went
> into sshd_config and turned that off.
While privsep is a REALLY good idea, remember that it's not strictly
necessary. As long as you run 3.4 or better, or have ChallengeResponse
disabled, this particular hole is unexploitable. Of course, leaving
privsep enabled should help avoid future problems.
- --
-Matt
The light at the end of the tunnel has been turned off due to budget cuts.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9GxNcc8/WFSz+GKMRAqdVAJ9FdfNV0A+Pc26QnkxuA2BrUq7VYQCfV0jU
j+Q6j41CnSI8l/Jw1KMACMw=
=7RfU
-----END PGP SIGNATURE-----
More information about the Discuss
mailing list