Does a known security issue allow ssh login via system accounts?
Damien Miller
djm at mindrot.org
Tue Mar 1 09:45:04 AEDT 2022
On Mon, 28 Feb 2022, Whit Blauvelt wrote:
> Hi,
>
> If this is not the right place to ask this, please redirect me. Hopefully it
> is a known vulnerability, due to out of date software. We had a server
> running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 which was compromised last
> week. The intruder managed to achieve this:
>
> Feb 24 08:13:52 localhost sshd[32276]: Accepted password for backup from 5.161.47.185 port 37962 ssh2
>
> This despite that /etc/passwd has:
>
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
>
> And /etc/shadow has:
>
> backup:*:16359:0:99999:7:::
We're not aware of any security problems in OpenSSH 8.6 that could yield
access to a locked account like this.
On Ubuntu, OpenSSH delegates to PAM for password authentication and
verification of the user's shell against /etc/shells. You can check
whether this actually enabled using 'sudo sshd -T | grep ^usepam'
It sounds like you have already verified that your PAM configuration was
not tampered with, so that removes one possibility. Reviewing the Ubuntu
PAM configurations and the patches they apply to sshd seem to be prudent
next steps.
It's possible that the above log message was not from the initial
compromise, but rather the attacker running their own sshd to act as a
more reliable foothold.
Hopefully you're able to preseve and perform forensics on the host.
If there is evidence of a bug in sshd, then please send it to the
security bug reporting contact: openssh at openssh.com
Thanks,
Damien Miller
More information about the openssh-unix-dev
mailing list