Does a known security issue allow ssh login via system accounts?
chris
chris at cataclysmal.org
Tue Mar 1 05:11:23 AEDT 2022
On Mon, Feb 28, 2022 at 12:48:31PM -0500, Whit Blauvelt wrote:
> Hi,
>
> If this is not the right place to ask this, please redirect me. Hopefully it
> is a known vulnerability, due to out of date software. We had a server
> running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 which was compromised last
> week. The intruder managed to achieve this:
>
> Feb 24 08:13:52 localhost sshd[32276]: Accepted password for backup from 5.161.47.185 port 37962 ssh2
>
> This despite that /etc/passwd has:
>
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
>
> And /etc/shadow has:
>
> backup:*:16359:0:99999:7:::
>
> Either the /usr/bin/nologin or the "*" in the second field of /etc/shadow
> should have been enough to prevent "Accepted password for backup." The
> /usr/sbin/nologin is the standard version for that Ubuntu generation, byte
> identical.
>
> Adding this to sshd_config was effective:
>
> DenyUsers backup
> ...
Possibly OT, but have you verified the system's PAM modules/configuration as well? They may
have used the backup account post-exploitation if everything else checked out.
-c
More information about the openssh-unix-dev
mailing list