>> On Sat, 23 Jan 1999 17:06:44 -0500, KuRuPTioN <kuruptionat_private> said: KuRuPTioN> There seems to be incomplete code in the SSH daemon in both versions 1.2.27 KuRuPTioN> and 2.0.11 (only tested). The bug simply allows users who with expired KuRuPTioN> accounts (in /etc/shadow) to continue to login even though other such KuRuPTioN> services such as ftp and telnet deny access. Here is the log using 1.2.27 KuRuPTioN> (but the same happens with 2.0.11). It seems to be a bug of configure script. As my quick observation for source code, possibly-vulnerable environment is - sshd 1.2.26 on * Linux, Irix5, Irix6, Ultrix, Convex - sshd 2.0.11 on * Almost all platform with account expiration and without usersec.h(?) To check whether the sshd is vulnerable, execute the command strings sshd | grep expire and see whether the message for ACCOUNT expiration is exist. (There may be a message for password expiration) Adding #define HAVE_STRUCT_SPWD_EXPIRE 1 to appropriate header file (do after ./configure) may solve the problem (sorry, not tested). Detail: In ssh 1.2.26, checking shadow passwd existence is bypassed on some platforms. However, checking sp_expire existence is done in the bypassed section of configure script. In ssh 2.0.11, no checking seems to be done for sp_expire. (true?) -- Yutaka Oiwa Yonezawa Lab., Department of Information Science, Faculty of Science, University of Tokyo. Email: <oiwaat_private-tokyo.ac.jp>, <yutakaat_private> PGP fingerprint = C9 8D 5C B8 86 ED D8 07 EA 59 34 D8 F4 65 53 61
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:45 PDT