[13842] in bugtraq
Re: sshd and pop/ftponly users incorrect configuration
daemon@ATHENA.MIT.EDU (Marc SCHAEFER)
Tue Feb 15 16:14:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <Pine.LNX.4.10.10002151539030.23676-100000@vulcan.alphanet.ch>
Date: Tue, 15 Feb 2000 15:44:08 +0100
Reply-To: Marc SCHAEFER <schaefer@ALPHANET.CH>
From: Marc SCHAEFER <schaefer@ALPHANET.CH>
X-To: Nick Lamb <njl98r@ecs.soton.ac.uk>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000215004333.A16931@ecs.soton.ac.uk>
On Tue, 15 Feb 2000, Nick Lamb wrote:
> 1. Is this a bug (which will be or has already been fixed in OpenSSH)
it's a bug, a feature, and a misconfiguration. The bug is SSH issuing
local redirecting connections with root. This was presumably fixed in
OpenSSH. The feature allowing to open connections coming from localhost
for valid (with a shell) users is a feature, and the misconfiguration is
forgetting DenyGroups on users supposing not to be able to log in
except e.g. for mail.
The real issue is however the common misconception that setting /bin/false
to a user shell to prevent it to login while still allowing reading POP
mail and FTP is enough to prevent the user from issuing local-issued
connections to services. The impact is clear: bypassing firewalling,
or hosts.deny. Additionnally it will create fake IDENT (but that's a ssh
feature, it seems).
> 2. Does PAM provide any immunity? If the user should be locked out
> of SSH by PAM (as in the Linux OpenSSH ports) then will this
If the user is refused by ssh authentification (be it because it's
firewalled, DenyGroupsed, invalid password or PAM), you are safe.
Noone we talk about breaking passworded accounts.
