Does a known security issue allow ssh login via system accounts?
Whit Blauvelt
whit at transpect.com
Wed Mar 2 04:30:18 AEDT 2022
On Tue, 03/01/22, 2022 at 09:21:48AM +1100, Darren Tucker wrote:
> What options did you configure it with? In particular, did you enable PAM?
./configure --with-md5-passwords --with-pam --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh8.6
> Have you verified that the sshd has not been tampered with?
Yes
> "standard" as in "vendor-supplied" or "as we normally set them"?
vendor-supplied.
> I'd be having a very close look at the PAM config. I've seen multiple
> instances where a misconfigured PAM stack failed open and accepted
> either an empty password or any password. One instance also ended up
> being used for spam as you describe.
> You can use pam-test-harness.c (https://www.dtucker.net/patches/) to
> test your config.
Thanks Darren. I'll try your test harness. My chief concern is whether there
is/was something off in the standard Ubuntu PAM setup.
Best,
Whit
More information about the openssh-unix-dev
mailing list