Does a known security issue allow ssh login via system accounts?
Whit Blauvelt
whit at transpect.com
Tue Mar 1 04:48:31 AEDT 2022
Hi,
If this is not the right place to ask this, please redirect me. Hopefully it
is a known vulnerability, due to out of date software. We had a server
running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 which was compromised last
week. The intruder managed to achieve this:
Feb 24 08:13:52 localhost sshd[32276]: Accepted password for backup from 5.161.47.185 port 37962 ssh2
This despite that /etc/passwd has:
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
And /etc/shadow has:
backup:*:16359:0:99999:7:::
Either the /usr/bin/nologin or the "*" in the second field of /etc/shadow
should have been enough to prevent "Accepted password for backup." The
/usr/sbin/nologin is the standard version for that Ubuntu generation, byte
identical.
Adding this to sshd_config was effective:
DenyUsers backup
If that's still not the default for system-level users like "backup", would
adding it be a reasonble feature request? Or is that on the distros to
define their default sshd_config settings?
The files in pam.d on the compromised system are standard. There's no public
key for "backup", and no ".ssh" folder in /var/backups. The intruder managed
to send out spam via the local postfix service, which is what made the
intrusion obvious. OSSEC (Wazuh) didn't spot anything. We've of course taken
the system offline. But we'd like to understand how that login by "backup"
was possible.
Thanks for any pointers. It's hard to google for this, due to "backup" being
such a generic term.
Whit
More information about the openssh-unix-dev
mailing list