From: Golden_Eternity [bhodi@bigfoot.com] Sent: Saturday, July 21, 2001 11:03 AM To: Steve; vulnwatch@vulnwatch.org Subject: RE: [VulnWatch] URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 I have tested and confirmed this problem on RedHat 6.2 with SSH 3.0.0 installed. The majority of accounts are properly locked out, but the optional user 'postgres' by default has a password '!!' and is assigned the shell '/bin/bash'. The impact of this problem could have been reduced if an appropriate shell, such as /bin/false, had been assigned. This was not listed in the advisory as a possible workaround, probably because it does not prevent authentication as the target account. While I was unable to exec an alternate shell for an account with /bin/false as its default (ssh appears to check for this), someone else might find a way. I contacted RedHat about assigning shells to system accounts in June 2000 (http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=12409), but they elected not to fix the problem. Another possible workaround is the PermitEmptyPasswords directive in sshd2_config. When set to "no", I was unable to login under the affected account. [root@shiva /root]# cat /etc/shadow | grep "postgres" postgres:!!:11515:0:99999:7::: [root@shiva /root]# ssh -l postgres localhost postgres's password: Authentication successful. Last login: Sat Jul 21 2001 09:09:21 -0700 from localhost bash$ logout Connection to localhost closed. [root@shiva /root]# cat /etc/passwd | grep postgres postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash [root@shiva /root]# chsh -s /bin/false postgres Changing shell for postgres. Warning: "/bin/false" is not listed in /etc/shells Shell changed. [root@shiva /root]# cat /etc/passwd | grep postgres postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/false [root@shiva /root]# ssh -l postgres localhost postgres's password: Authentication successful. Last login: Sat Jul 21 2001 09:11:01 -0700 from localhost Connection to localhost closed. [root@shiva /root]#