[1425] in Release_7.7_team
security hole in Athena sshd
daemon@ATHENA.MIT.EDU (Dan Winship)
Tue Aug 4 23:27:21 1998
Date: Tue, 4 Aug 1998 23:26:45 -0400
From: Dan Winship <danw@MIT.EDU>
To: netusers@MIT.EDU, cluster-managers@MIT.EDU
Cc: release-team@MIT.EDU
(This affects _only_ the sshd installed on Athena workstations in
Athena release 8.2. It does not affect any standard version of sshd.)
A security hole was recently discovered in /etc/athena/sshd in the new
Athena release. (The hole allows users to log into a workstation
running sshd as any non-local user in the password file on that
machine. It does not allow them to log in as root.) This hole has been
patched and the fixed sshd will be going out as part of Athena 8.2.9
next week.
If you are running a private Athena workstation with sshd enabled, you
should (as root):
rm /etc/athena/sshd
cp /afs/dev.mit.edu/system/@sys/srvd/etc/athena/sshd /etc/athena
kill `cat /var/athena/sshd.pid`
/etc/athena/sshd
This will install the patched sshd.
If you have any questions, send mail to release-team@mit.edu.
-- Dan
