From owner-freebsd-security Wed Sep 26 15:28:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 64D3037B422 for ; Wed, 26 Sep 2001 15:28:10 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA20226 for ; Wed, 26 Sep 2001 15:28:10 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda20220; Wed Sep 26 15:28:02 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f8QMS2L21394 for ; Wed, 26 Sep 2001 15:28:02 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpds21390; Wed Sep 26 15:27:09 2001 Received: (from smtpd@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f8QMR6G33342 for ; Wed, 26 Sep 2001 15:27:06 -0700 (PDT) Message-Id: <200109262227.f8QMR6G33342@cwsys.cwsent.com> X-Authentication-Warning: cwsys.cwsent.com: smtpd set sender to using -f Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdw33337; Wed Sep 26 15:27:00 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: freebsd-security@freebsd.org Subject: OpenSSH Security Advisory (adv.option) (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 26 Sep 2001 15:27:00 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A weakness in OpenSSH's source IP based access control has been discovered. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC ------- Forwarded Message [headers removed] Date: Wed, 26 Sep 2001 23:18:23 +0200 From: Markus Friedl To: security-announce@openbsd.org Subject: OpenSSH Security Advisory (adv.option) Message-ID: <20010926231823.A15229@folly> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-security-announce@openbsd.org Precedence: bulk X-Loop: security-announce@openbsd.org Weakness in OpenSSH's source IP based access control for SSH protocol v2 public key authentication. 1. Systems affected: Versions of OpenSSH between 2.5.x and 2.9.x using the 'from=' key file option in combination with both RSA and DSA keys in ~/.ssh/authorized_keys2. 2. Description: Depending on the order of the user keys in ~/.ssh/authorized_keys2 sshd might fail to apply the source IP based access control restriction (e.g. from="10.0.0.1") to the correct key: If a source IP restricted key (e.g. DSA key) is immediately followed by a key of a different type (e.g. RSA key), then key options for the second key are applied to both keys, which includes 'from='. 3. Impact: Users can circumvent the system policy and login from disallowed source IP addresses. 4. Solution: Apply the following patch. This bug is fixed in OpenSSH 2.9.9 5. Credits: None. Appendix: Index: key.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/key.c,v retrieving revision 1.31 retrieving revision 1.32 diff -u -p -IRCSID -r1.31 -r1.32 - --- key.c 2001/09/17 20:50:22 1.31 +++ key.c 2001/09/19 13:23:29 1.32 @@ -358,7 +358,7 @@ write_bignum(FILE *f, BIGNUM *num) return 1; } - -/* returns 1 ok, -1 error, 0 type mismatch */ +/* returns 1 ok, -1 error */ int key_read(Key *ret, char **cpp) { @@ -413,7 +413,7 @@ key_read(Key *ret, char **cpp) } else if (ret->type != type) { /* is a key, but different type */ debug3("key_read: type mismatch"); - - return 0; + return -1; } len = 2*strlen(cp); blob = xmalloc(len); ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message