Date: Wed, 26 Sep 2001 15:27:00 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Subject: OpenSSH Security Advisory (adv.option) (fwd) Message-ID: <200109262227.f8QMR6G33342@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
A weakness in OpenSSH's source IP based access control has been
discovered.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC
------- Forwarded Message
[headers removed]
Date: Wed, 26 Sep 2001 23:18:23 +0200
From: Markus Friedl <markus@openbsd.org>
To: security-announce@openbsd.org
Subject: OpenSSH Security Advisory (adv.option)
Message-ID: <20010926231823.A15229@folly>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-security-announce@openbsd.org
Precedence: bulk
X-Loop: security-announce@openbsd.org
Weakness in OpenSSH's source IP based access control
for SSH protocol v2 public key authentication.
1. Systems affected:
Versions of OpenSSH between 2.5.x and 2.9.x using
the 'from=' key file option in combination with
both RSA and DSA keys in ~/.ssh/authorized_keys2.
2. Description:
Depending on the order of the user keys in
~/.ssh/authorized_keys2 sshd might fail to apply the
source IP based access control restriction (e.g.
from="10.0.0.1") to the correct key:
If a source IP restricted key (e.g. DSA key) is
immediately followed by a key of a different type
(e.g. RSA key), then key options for the second key
are applied to both keys, which includes 'from='.
3. Impact:
Users can circumvent the system policy
and login from disallowed source IP addresses.
4. Solution:
Apply the following patch.
This bug is fixed in OpenSSH 2.9.9
5. Credits:
None.
Appendix:
Index: key.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/key.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -p -IRCSID -r1.31 -r1.32
- --- key.c 2001/09/17 20:50:22 1.31
+++ key.c 2001/09/19 13:23:29 1.32
@@ -358,7 +358,7 @@ write_bignum(FILE *f, BIGNUM *num)
return 1;
}
- -/* returns 1 ok, -1 error, 0 type mismatch */
+/* returns 1 ok, -1 error */
int
key_read(Key *ret, char **cpp)
{
@@ -413,7 +413,7 @@ key_read(Key *ret, char **cpp)
} else if (ret->type != type) {
/* is a key, but different type */
debug3("key_read: type mismatch");
- - return 0;
+ return -1;
}
len = 2*strlen(cp);
blob = xmalloc(len);
------- End of Forwarded Message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109262227.f8QMR6G33342>