From owner-freebsd-security Wed Jan 19 5:52:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.is.co.za (mercury.is.co.za [196.4.160.222]) by hub.freebsd.org (Postfix) with ESMTP id 2089414DA5 for ; Wed, 19 Jan 2000 05:52:09 -0800 (PST) (envelope-from marcs@is.co.za) Received: from hermwas.is.co.za (hermwas.is.co.za [196.23.0.8]) by mercury.is.co.za (8.9.3/8.9.3) with ESMTP id PAA08893; Wed, 19 Jan 2000 15:52:05 +0200 Received: (from marcs@localhost) by hermwas.is.co.za (8.9.3/8.9.3) id PAA11192; Wed, 19 Jan 2000 15:52:04 +0200 (SAT) Date: Wed, 19 Jan 2000 15:52:03 +0200 From: Marc Silver To: Stephan van Beerschoten Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh-feature 'backdoor' Message-ID: <20000119155203.C8404@is.co.za> References: <20000119134325.J2167@supra.rotterdam.luna.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <20000119134325.J2167@supra.rotterdam.luna.net> X-Operating-System: SunOS 5.6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That should never happen if this line is in your sshd_config file: PermitRootLogin no I think it's better to log in as your user and then su to root. Cheers, Marc On Wed, Jan 19, 2000 at 01:43:25PM +0100, Stephan van Beerschoten wrote: > I have discovered the obvious .. > > I was helping a friend of me who admin's a couple of > machines to find left-overs from hacks.. (The machine is > used for these kind of playfull thingies) and we discovered > something which other admins might not see because they > don't think of it as a valid entry-point. > > sshd accepts connections with the rsa-key system (I love the > system, I hop from one system to the next using this system > and the ssh-agent running), but a hacker has created an > ~root/.ssh/authorized_keys file with his own key in it. > > The comment on the key was root@ so > for the 'default' admin the key would not look like something > which should not be there .. but it was the hacker's way to > simply ssh to the bos, enter his rsa passphrase (or let the > ssh-agent take care of it) and he was in, having all the time > to erase his presence from logs etc. > > Just a hint.. watch the ~root/.ssh dir. > > -Steve > > -- > Stephan van Beerschoten Email: stephanb@luna.nl > Network Engineer Luna Internet Services > PGP fingerprint 4557 9761 B212 FB4C 778D 3529 C42A 2D27 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Marc Silver IS Hosting Infrastructure The Internet Solution Tel: (+27 11) 283 5500 Fax: (+27 11) 283 5001 E-mail: marcs@is.co.za Web: www.is.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message