From owner-freebsd-security@FreeBSD.ORG  Fri Nov 26 14:24:13 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A944E106566C
	for <freebsd-security@freebsd.org>;
	Fri, 26 Nov 2010 14:24:13 +0000 (UTC)
	(envelope-from n.knight@stormunix.co.uk)
Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com
	[209.85.216.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 676DB8FC14
	for <freebsd-security@freebsd.org>;
	Fri, 26 Nov 2010 14:24:13 +0000 (UTC)
Received: by qwg8 with SMTP id 8so1199538qwg.13
	for <freebsd-security@freebsd.org>;
	Fri, 26 Nov 2010 06:24:12 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.81.20 with SMTP id v20mr1795288qck.210.1290779758283; Fri,
	26 Nov 2010 05:55:58 -0800 (PST)
Sender: n.knight@stormunix.co.uk
Received: by 10.229.217.2 with HTTP; Fri, 26 Nov 2010 05:55:58 -0800 (PST)
Date: Fri, 26 Nov 2010 13:55:58 +0000
X-Google-Sender-Auth: rIWBVetATHGoPtecJgXLuNuTiKY
Message-ID: <AANLkTi=eaYSFJygru1NBqkNTBoC=2oKLuDJ1XGkMpEsC@mail.gmail.com>
From: Nick Knight <nick@stormunix.co.uk>
To: freebsd-security@freebsd.org
X-Mailman-Approved-At: Fri, 26 Nov 2010 16:06:36 +0000
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: ssh binary modified
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: nick@stormunix.co.uk
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2010 14:24:13 -0000

Hi,

I've just found a problem with ssh on one of my servers, I'm hoping someone
can give me some insight into what's caused the problem.

When I try to use scp or ftp I get the following error:
command-line: line 0: Bad configuration option: PermitLocalCommand
lost connection

I've just noticed my /usr/bin/ssh binary was modified two days ago although
no updates have been run.

I've noticed a strange new file: /etc/ssh/.sshd_auth
This has file permission 755 and contained two entries of my plain text
login:
myuser:clearpassword
myuser:clearpassword

FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC
2009     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf

MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7

Has anyone seen the file /etc/ssh/.sshd_auth before?

Cheers

-- 
Regards
Nick Knight