[8554] in bugtraq

home help back first fref pref prev next nref lref last post

Re: SCO World Script Vulnerabilities

daemon@ATHENA.MIT.EDU (//Stany)
Sat Nov 14 15:56:48 1998

Date: 	Fri, 13 Nov 1998 17:56:39 -0500
Reply-To: //Stany <stany@HTTP.NOTBSD.ORG>
From: //Stany <stany@HTTP.NOTBSD.ORG>
To: BUGTRAQ@NETSPACE.ORG

On Thu, 12 Nov 1998, Joe wrote:
> Ben: The set-up described there is fairly secure. (Although I'd used
> ssh/scp instead of the r_services). The .rhosts files allow "webserver" to
> log in from only 1 machine on the INTRA-net, from one specific IP address,
> which is protected (presumably) by a firewall. To top it off, the "webserver"
> user has no valid shell or password so anyone that gets into the account

In my experience with 1.2.x versions of scp, the shell has to be valid in
order to actually copy files, as the remote machine also starts an scp
process, and from the looks of it sshd calls a shell before executing an
scp process.

I do not know if 2.0.x version has this "limitation" (we are a commercial
site, and ssh 1.2.x works, so why upgrade?) but here is a quick check:

This is the server:
root@zerkalo:/opt[111]# /usr/local/sbin/sshd -d -p 2000
debug: sshd version 1.2.26 [sparc-sun-solaris2.5.1]
debug: Initializing random number generator; seed file /etc/ssh_random_seed
log: Server listening on port 2000.
log: Generating 768 bit RSA key.
Generating p:  ......++ (distance 62)
Generating q:  ..++ (distance 34)
Computing the keys...
Testing the keys...
Key generation complete.
log: RSA key generation complete.
debug: Server will not fork when running in debugging mode.
log: Connection from 204.xxx.xxx.xxx port 36723
debug: Client protocol version 1.5; client software version 1.2.26
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: idea
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
log: Unknown group id 112

debug: Attempting authentication for radius.
log: RSA authentication for radius accepted.
debug: Executing command 'scp -v -f /tmp/network.jpg'
debug: Entering interactive session.
debug: End of interactive session; stdin 1, stdout (read 0, sent 0), stderr 284 bytes.
debug: Received SIGCHLD.
debug: Command exited with status 255.
debug: Received exit confirmation.
log: Closing connection to 204.xxx.xxx.xxx
root@zerkalo:/opt[112]# cat /etc/passwd | grep ^radius
radius:x:504:112:Radius user:/opt/radius:/bin/false
root@zerkalo:/opt[113]#

This is the client:
root@graendel:/tmp[84]# scp -v -P 2000 radius@zerkalo.notbsd.org:/tmp/network.jpg .
Executing: host zerkalo.notbsd.org, user radius, command scp -v -f /tmp/network.jpg
SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.
Standard version.  Does not use RSAREF.
graendel.notbsd.org: Reading configuration data /etc/ssh_config
graendel.notbsd.org: Applying options for *
graendel.notbsd.org: ssh_connect: getuid 0 geteuid 0 anon 1
graendel.notbsd.org: Connecting to zerkalo.notbsd.org [204.191.124.98] port 2000.
graendel.notbsd.org: Connection established.
graendel.notbsd.org: Remote protocol version 1.5, remote software version 1.2.26
graendel.notbsd.org: Waiting for server public key.
graendel.notbsd.org: Received server public key (768 bits) and host key (1024 bits).
graendel.notbsd.org: Host 'zerkalo.notbsd.org' is known and matches the host key.
graendel.notbsd.org: Initializing random; seed file //.ssh/random_seed
graendel.notbsd.org: Encryption type: idea
graendel.notbsd.org: Sent encrypted session key.
graendel.notbsd.org: Installing crc compensation attack detector.
graendel.notbsd.org: Received encrypted confirmation.
graendel.notbsd.org: No agent.
graendel.notbsd.org: Trying RSA authentication with key 'stany@gargoyle.netsvc.istar.ca Stanislav N. Vardomskiy Dial SA/Joat  (613) 566-4918'
graendel.notbsd.org: Received RSA challenge from server.
Enter passphrase for RSA key 'stany@gargoyle.netsvc.istar.ca  Stanislav N. Vardomskiy Dial SA/Jot  (613) 566-4918':
graendel.notbsd.org: Sending response to host key RSA challenge.
graendel.notbsd.org: Remote: RSA authentication accepted.
graendel.notbsd.org: RSA authentication accepted by server.
graendel.notbsd.org: Sending command: scp -v -f /tmp/network.jpg
graendel.notbsd.org: Entering interactive session.
log: executing remote command as user radius
Environment:
  HOME=/opt/radius
  USER=radius
  LOGNAME=radius
  PATH=/bin:/usr/bin:/usr/ucb:/usr/bin/X11:/usr/local/bin:/usr/local/bin
  MAIL=/var/mail/radius
  SHELL=/bin/false
  TZ=Canada/Eastern
  SSH_CLIENT=204.xxx.xxx.xxx 36723 2000

graendel.notbsd.org: Transferred: stdin 1, stdout 284, stderr 0 bytes in 0.2 seconds
graendel.notbsd.org: Bytes per second: stdin 6.4, stdout 1827.8, stderr 0.0
graendel.notbsd.org: Exit status 255

root@graendel:/tmp[85]# ls network.jpg
network.jpg: No such file or directory
root@graendel:/tmp[86]#

I do not know if having a valid user shell will make a big difference to
your security setup, but it does to mine.

--
+--------+ My words are my own.  LARTs are provided free of charge. +---------+
|Stanislav N. Vardomskiy - NetWinder Rescue HOWTO Maintainer and JOAT at large|
| "Backups we have; it's restores that we find tricky" - Richard Letts at asr |
| This message is powered by JOLT! For all the sugar and twice the caffeine.  |
+-----------------------------------------------------------------------------+

home help back first fref pref prev next nref lref last post