Does a known security issue allow ssh login via system accounts?
Darren Tucker
dtucker at dtucker.net
Tue Mar 1 09:21:48 AEDT 2022
On Tue, 1 Mar 2022 at 04:52, Whit Blauvelt <whit at transpect.com> wrote:
> If this is not the right place to ask this, please redirect me. Hopefully it
> is a known vulnerability, due to out of date software. We had a server
> running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7
What options did you configure it with? In particular, did you enable PAM?
[...]
> Either the /usr/bin/nologin or the "*" in the second field of /etc/shadow
> should have been enough to prevent "Accepted password for backup."
If you enabled PAM then that's a function of the PAM stack and its config.
> The /usr/sbin/nologin is the standard version for that Ubuntu generation,
> byte identical.
Have you verified that the sshd has not been tampered with?
> Adding this to sshd_config was effective:
> DenyUsers backup
> If that's still not the default for system-level users like "backup", would
> adding it be a reasonble feature request? Or is that on the distros to
> define their default sshd_config settings?
That would be up to the distros.
> The files in pam.d on the compromised system are standard.
"standard" as in "vendor-supplied" or "as we normally set them"?
> There's no public
> key for "backup", and no ".ssh" folder in /var/backups. The intruder managed
> to send out spam via the local postfix service, which is what made the
> intrusion obvious. OSSEC (Wazuh) didn't spot anything. We've of course taken
> the system offline. But we'd like to understand how that login by "backup"
> was possible.
I'd be having a very close look at the PAM config. I've seen multiple
instances where a misconfigured PAM stack failed open and accepted
either an empty password or any password. One instance also ended up
being used for spam as you describe.
You can use pam-test-harness.c (https://www.dtucker.net/patches/) to
test your config.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list