<from SSH's advisory> > in SSH Secure Shell 3.0.0, for Unix only, concerning > accounts with password fields consisting of two or > fewer characters. I've tested this on a few machines that I recently upgraded and have a nit to pick the "or fewer" portion of this statement. It's quite late here and I feel I am stating the elementary, further comments and corrections would be very helpful. On RH 6.2 some of the password fields are nulled in /etc/shadow with "*" and some with "!!" The only accounts vulnerable to this bug were the ones using "!!" or any other two-character combinations that I tried. I replaced the offending accounts with a single character and was unable to login with the "ease" that I had before. I tested on Debian 2.2 and RedHat 6.2. It is worth noting that Debian does NOT null logins in /etc/shadow using two characters by default like Red Hat. btw, I also tested on FreeBSD-4.2 and was unable to login without providing the proper password regardless of the number of characters I had in the password field. -Jen jenat_private debian:~# telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-3.0.0 SSH Secure Shell (non-commercial) Connection closed by foreign host. debian:~# uname -a Linux debian 2.4.6-pre3 #4 SMP Tue Jun 26 12:34:37 EST 2001 ppc unknown debian:~# cat /etc/shadow | grep irc irc:!!:11498:0:99999:7::: debian:~# ssh -l irc localhost irc's password: Authentication successful. Last login: Sat Jul 21 2001 01:44:01 -0500 No mail. irc@debian:~$ debian:~# vi /etc/shadow ... debian:~# cat /etc/shadow | grep irc irc:!:11498:0:99999:7::: debian:~# ssh -l irc localhost irc's password: irc's password: irc's password: warning: Authentication failed. Disconnected; no more authentication methods available (No further authentication methods available.).
This archive was generated by hypermail 2b30 : Sat Jul 21 2001 - 21:19:13 PDT