[27093] in bugtraq
Re: OpenSSH 3.4p1 Privsep
daemon@ATHENA.MIT.EDU (eric@catastrophe.net)
Wed Sep 18 15:46:28 2002
Date: Tue, 17 Sep 2002 11:24:08 -0500
From: eric@catastrophe.net
To: bugtraq@securityfocus.com
Message-ID: <20020917112408.Z14101@catastrophe.net>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.SOL.4.33.0209161729000.21511-100000@magnet.weirdness.net>; from acd@weirdness.net on Mon, Sep 16, 2002 at 05:48:42PM -0400
On Mon, 2002-09-16 at 17:48:42 -0400, Andrew Danforth wrote...
; During authentication, OpenSSH 3.4p1 with privsep enabled passes the
; cleartext password from the main process to the privsep child using a
; pipe. Using strace or truss, root can see the user's plaintext password
; flying by. I observed this behavior from OpenSSH 3.4p1 built using GCC on
; Solaris 2.8 and the current Debian OpenSSH 3.4p1 package.
This appears to not happen on FreeBSD using the OpenSSH 3.4p1 source
(not the FreeBSD distro). Also, it doesn't happen when using pub/priv
key authentication, as far as I can tell.
-#0
