From owner-freebsd-security@FreeBSD.ORG Wed Jul 21 09:34:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3DCB16A4CE for ; Wed, 21 Jul 2004 09:34:52 +0000 (GMT) Received: from lvlworld.com (dsl-38.226.240.220.dsl.comindico.com.au [220.240.226.38]) by mx1.FreeBSD.org (Postfix) with SMTP id 8D79D43D45 for ; Wed, 21 Jul 2004 09:34:51 +0000 (GMT) (envelope-from tigger@onemoremonkey.com) Received: (qmail 20326 invoked from network); 21 Jul 2004 09:36:40 -0000 Received: from unknown (HELO piglet.goo) (192.168.1.120) by eeeor.goo with SMTP; 21 Jul 2004 09:36:40 -0000 Date: Wed, 21 Jul 2004 19:35:27 +1000 From: Tig To: freebsd-security@freebsd.org Message-Id: <20040721193527.2647e696@piglet.goo> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bogosity: No, tests=bogofilter, spamicity=0.496024, version=0.17.5 Subject: ssh and root on 4.10 = password discovery (maybe) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 09:34:52 -0000 Hello. I'm not 100% sure if this is a configuration error on my side or a 'bad idea' on sshd/FreeBSD sides. A remote root ssh connection to a FreeBSD 4.10 server (with no remote root access) will allow you to 'work out' the root password. However, if you try the same against 5.2.1 FreeBSD, you have little chance. The following are pretty clear examples. If this is a config mistake on my side, please let me know as I have clearly done something wrong. Correct root password - 4.10 tigger@piglet:~% ssh root@4.10-FreeBSD Password: Connection to 4.10-FreeBSD closed by remote host. Connection to 4.10-FreeBSD closed. tigger@piglet:~% Incorrect root password - 4.10 tigger@piglet:~% ssh root@4.10-FreeBSD Password: Password: Password: root@lilypie.com's password: Permission denied, please try again. root@lilypie.com's password: Permission denied, please try again. root@lilypie.com's password: Permission denied (publickey,password,keyboard-interactive). tigger@piglet:~% Correct root password - 5.2.1 tigger@piglet:~% ssh root@5.2.1-FreeBSD Password: Password: Password: root@eeeor.goo's password: Permission denied, please try again. root@eeeor.goo's password: Permission denied, please try again. root@eeeor.goo's password: Permission denied (publickey,password,keyboard-interactive). From owner-freebsd-security@FreeBSD.ORG Wed Jul 21 12:12:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D1A516A4CE for ; Wed, 21 Jul 2004 12:12:48 +0000 (GMT) Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.8.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3363543D39 for ; Wed, 21 Jul 2004 12:12:47 +0000 (GMT) (envelope-from kheuer2@gwdg.de) Received: from gwdu60.gwdg.de (localhost [127.0.0.1]) by gwdu60.gwdg.de (8.12.11/8.12.8) with ESMTP id i6LCCjAd067648; Wed, 21 Jul 2004 14:12:45 +0200 (CEST) (envelope-from kheuer2@gwdg.de) Received: from localhost (kheuer2@localhost)i6LCCjwO067645; Wed, 21 Jul 2004 14:12:45 +0200 (CEST) X-Authentication-Warning: gwdu60.gwdg.de: kheuer2 owned process doing -bs Date: Wed, 21 Jul 2004 14:12:45 +0200 (CEST) From: Konrad Heuer To: Tig In-Reply-To: <20040721193527.2647e696@piglet.goo> Message-ID: <20040721140750.M64009@gwdu60.gwdg.de> References: <20040721193527.2647e696@piglet.goo> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ssh and root on 4.10 = password discovery (maybe) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 12:12:48 -0000 On Wed, 21 Jul 2004, Tig wrote: > Hello. I'm not 100% sure if this is a configuration error on my side or > a 'bad idea' on sshd/FreeBSD sides. > > A remote root ssh connection to a FreeBSD 4.10 server (with no remote > root access) will allow you to 'work out' the root password. However, if > you try the same against 5.2.1 FreeBSD, you have little chance. The > following are pretty clear examples. > > If this is a config mistake on my side, please let me know as I have > clearly done something wrong. > > Correct root password - 4.10 > tigger@piglet:~% ssh root@4.10-FreeBSD > Password: > Connection to 4.10-FreeBSD closed by remote host. > Connection to 4.10-FreeBSD closed. > tigger@piglet:~% > > Incorrect root password - 4.10 > tigger@piglet:~% ssh root@4.10-FreeBSD > Password: > Password: > Password: > root@lilypie.com's password: > Permission denied, please try again. > root@lilypie.com's password: > Permission denied, please try again. > root@lilypie.com's password: > Permission denied (publickey,password,keyboard-interactive). > tigger@piglet:~% > > Correct root password - 5.2.1 > tigger@piglet:~% ssh root@5.2.1-FreeBSD > Password: > Password: > Password: > root@eeeor.goo's password: > Permission denied, please try again. > root@eeeor.goo's password: > Permission denied, please try again. > root@eeeor.goo's password: > Permission denied (publickey,password,keyboard-interactive). I roughly remember to have read about that problem for older versions of OpenSSH. But on my 4.10 boxes, there's no problem. Looks always like this, correct and incorrect password given: % ssh root@box root@boxes's password: Permission denied, please try again. root@boxes's password: Permission denied, please try again. Version: % ssh -V OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090704f Best regards Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ GWDG / __/______ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ Germany From owner-freebsd-security@FreeBSD.ORG Wed Jul 21 13:22:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78C8216A4CE for ; Wed, 21 Jul 2004 13:22:05 +0000 (GMT) Received: from lvlworld.com (dsl-38.226.240.220.dsl.comindico.com.au [220.240.226.38]) by mx1.FreeBSD.org (Postfix) with SMTP id F11E143D54 for ; Wed, 21 Jul 2004 13:22:03 +0000 (GMT) (envelope-from tigger@onemoremonkey.com) Received: (qmail 21700 invoked from network); 21 Jul 2004 13:23:45 -0000 Received: from unknown (HELO piglet.goo) (192.168.1.120) by eeeor.goo with SMTP; 21 Jul 2004 13:23:45 -0000 Date: Wed, 21 Jul 2004 23:22:32 +1000 From: Tig To: freebsd-security@freebsd.org Message-Id: <20040721232232.5d8b5bab@piglet.goo> In-Reply-To: <20040721140750.M64009@gwdu60.gwdg.de> References: <20040721193527.2647e696@piglet.goo> <20040721140750.M64009@gwdu60.gwdg.de> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bogosity: No, tests=bogofilter, spamicity=0.500001, version=0.17.5 Subject: Re: ssh and root on 4.10 = password discovery (maybe) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 13:22:05 -0000 On Wed, 21 Jul 2004 14:12:45 +0200 (CEST) Konrad Heuer wrote: > > I roughly remember to have read about that problem for older versions > of OpenSSH. > > But on my 4.10 boxes, there's no problem. Looks always like this, > correct and incorrect password given: > > % ssh root@box > root@boxes's password: > Permission denied, please try again. > root@boxes's password: > Permission denied, please try again. > > Version: > > % ssh -V > OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL > 0x0090704f > > Best regards > > Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ > GWDG / __/______ ___ / _ )/ __/ _ \ > Am Fassberg / _// __/ -_) -_) _ |\ \/ // / > 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ > Germany > Well, this is strange. The 5.2.1 box and the 4.10 box both have the same sshd_conf options, however the OpenSSH versions are different (but expected) 5.2.1 OpenSSH_3.6.1p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f 4.10 OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090704f Do you have any non-default settings to disable remote root access on your 4.10 box? This 4.10 box was recently upgraded from 4.9 (using cvsup), maybe I missed something is all I can think of. -Tig From owner-freebsd-security@FreeBSD.ORG Wed Jul 21 13:33:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 895F516A4CE for ; Wed, 21 Jul 2004 13:33:37 +0000 (GMT) Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.8.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0C6E43D46 for ; Wed, 21 Jul 2004 13:33:36 +0000 (GMT) (envelope-from kheuer2@gwdg.de) Received: from gwdu60.gwdg.de (localhost [127.0.0.1]) by gwdu60.gwdg.de (8.12.11/8.12.8) with ESMTP id i6LDXZuc068645; Wed, 21 Jul 2004 15:33:35 +0200 (CEST) (envelope-from kheuer2@gwdg.de) Received: from localhost (kheuer2@localhost)i6LDXZwa068642; Wed, 21 Jul 2004 15:33:35 +0200 (CEST) X-Authentication-Warning: gwdu60.gwdg.de: kheuer2 owned process doing -bs Date: Wed, 21 Jul 2004 15:33:34 +0200 (CEST) From: Konrad Heuer To: Tig In-Reply-To: <20040721232232.5d8b5bab@piglet.goo> Message-ID: <20040721152912.O64009@gwdu60.gwdg.de> References: <20040721193527.2647e696@piglet.goo> <20040721140750.M64009@gwdu60.gwdg.de> <20040721232232.5d8b5bab@piglet.goo> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ssh and root on 4.10 = password discovery (maybe) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 13:33:37 -0000 On Wed, 21 Jul 2004, Tig wrote: > On Wed, 21 Jul 2004 14:12:45 +0200 (CEST) > Konrad Heuer wrote: > > > > > I roughly remember to have read about that problem for older versions > > of OpenSSH. > > > > But on my 4.10 boxes, there's no problem. Looks always like this, > > correct and incorrect password given: > > > > % ssh root@box > > root@boxes's password: > > Permission denied, please try again. > > root@boxes's password: > > Permission denied, please try again. > > > > Version: > > > > % ssh -V > > OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL > > 0x0090704f > > Well, this is strange. The 5.2.1 box and the 4.10 box both have the same > sshd_conf options, however the OpenSSH versions are different (but > expected) > > 5.2.1 > OpenSSH_3.6.1p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL > 0x0090703f > > 4.10 > OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL > 0x0090704f > > Do you have any non-default settings to disable remote root access on > your 4.10 box? This 4.10 box was recently upgraded from 4.9 (using > cvsup), maybe I missed something is all I can think of. Here are the lines of my sshd_config which are uncommented: PermitRootLogin forced-commands-only IgnoreRhosts no RhostsRSAAuthentication yes HostbasedAuthentication yes ChallengeResponseAuthentication no X11Forwarding yes UsePrivilegeSeparation yes Compression yes Subsystem sftp /usr/libexec/sftp-server Best regards Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ GWDG / __/______ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ Germany