From owner-freebsd-security@FreeBSD.ORG  Wed Jul 21 09:34:52 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C3DCB16A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 21 Jul 2004 09:34:52 +0000 (GMT)
Received: from lvlworld.com (dsl-38.226.240.220.dsl.comindico.com.au
	[220.240.226.38])
	by mx1.FreeBSD.org (Postfix) with SMTP id 8D79D43D45
	for <freebsd-security@freebsd.org>;
	Wed, 21 Jul 2004 09:34:51 +0000 (GMT)
	(envelope-from tigger@onemoremonkey.com)
Received: (qmail 20326 invoked from network); 21 Jul 2004 09:36:40 -0000
Received: from unknown (HELO piglet.goo) (192.168.1.120)
  by eeeor.goo with SMTP; 21 Jul 2004 09:36:40 -0000
Date: Wed, 21 Jul 2004 19:35:27 +1000
From: Tig <tigger@onemoremonkey.com>
To: freebsd-security@freebsd.org
Message-Id: <20040721193527.2647e696@piglet.goo>
X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10;
	i386-portbld-freebsd5.2.1)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Bogosity: No, tests=bogofilter, spamicity=0.496024, version=0.17.5
Subject: ssh and root on 4.10 = password discovery (maybe)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2004 09:34:52 -0000

Hello. I'm not 100% sure if this is a configuration error on my side or
a 'bad idea' on sshd/FreeBSD sides.

A remote root ssh connection to a FreeBSD 4.10 server (with no remote
root access) will allow you to 'work out' the root password. However, if
you try the same against 5.2.1 FreeBSD, you have little chance. The
following are pretty clear examples.

If this is a config mistake on my side, please let me know as I have
clearly done something wrong.

Correct root password - 4.10
tigger@piglet:~% ssh root@4.10-FreeBSD
Password:
Connection to 4.10-FreeBSD closed by remote host.
Connection to 4.10-FreeBSD closed.
tigger@piglet:~%

Incorrect root password - 4.10
tigger@piglet:~% ssh root@4.10-FreeBSD
Password:
Password:
Password:
root@lilypie.com's password: 
Permission denied, please try again.
root@lilypie.com's password: 
Permission denied, please try again.
root@lilypie.com's password: 
Permission denied (publickey,password,keyboard-interactive).
tigger@piglet:~%

Correct root password - 5.2.1
tigger@piglet:~% ssh root@5.2.1-FreeBSD
Password:
Password:
Password:
root@eeeor.goo's password: 
Permission denied, please try again.
root@eeeor.goo's password: 
Permission denied, please try again.
root@eeeor.goo's password: 
Permission denied (publickey,password,keyboard-interactive).