Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 21 Apr 2003 11:23:17 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Toomas Aas <toomas.aas@raad.tartu.ee>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: sshd: buffer_get trying to get more bytes than in buffer
Message-ID:  <20030421102316.GB30592@happy-idiot-talk.infracaninophi>
In-Reply-To: <200304210820.h3L8KhC30223@lv.raad.tartu.ee>
References:  <200304210820.h3L8KhC30223@lv.raad.tartu.ee>
next in thread | previous in thread | raw e-mail | index | archive | help 

--IiVenqGWf+H9Y6IX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Apr 21, 2003 at 11:20:21AM +0300, Toomas Aas wrote:
> Hello!
>=20
> I've noticed that one of my users logging in via ssh from one particular =
IP
> always causes this message to appear in auth.log:
>=20
> Apr 20 15:43:18 heerold sshd[18766]: fatal: buffer_get: trying to get mor=
e bytes 4 than in buffer 0
>=20
> The same user logs in from several different IP-s and the message only
> appears when he logs in from one particular IP. This leads me to believe
> that it might be just a quirk in the SSH client software he uses on this
> particular PC, but I just wanted to confirm that it's not actually an
> indication of Something Evil in progress.

In thses sort of cases it's always a good idea to cut'n'paste the
error message into Google.

Apart from turning up a worrying number of sites that have a binary of
'sftp-server' and other programs from the ssh package accessible on
their websites, you'll find links to this e-mail:

    http://www.securityfocus.com/archive/121/261925/2002-03-08/2002-03-14/2

Looks like damage to the user's authorized_keys file:

	Cheers,

	Matthew=09

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--IiVenqGWf+H9Y6IX
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+o8aUdtESqEQa7a0RAms9AJ9q3QqvnFRCKvAowLNylRMPWvpykQCgklkt
8woqXJlUkSH5B5OdGa1YopE=
=ZsI0
-----END PGP SIGNATURE-----

--IiVenqGWf+H9Y6IX--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030421102316.GB30592>