From owner-freebsd-questions@FreeBSD.ORG Mon Apr 21 03:23:25 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D905637B401 for ; Mon, 21 Apr 2003 03:23:25 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BC0543F85 for ; Mon, 21 Apr 2003 03:23:24 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h3LANJ8x031379 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Apr 2003 11:23:19 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h3LANHWs031374; Mon, 21 Apr 2003 11:23:17 +0100 (BST) (envelope-from matthew) Date: Mon, 21 Apr 2003 11:23:17 +0100 From: Matthew Seaman To: Toomas Aas Message-ID: <20030421102316.GB30592@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , Toomas Aas , freebsd-questions@freebsd.org References: <200304210820.h3L8KhC30223@lv.raad.tartu.ee> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IiVenqGWf+H9Y6IX" Content-Disposition: inline In-Reply-To: <200304210820.h3L8KhC30223@lv.raad.tartu.ee> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-38.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: freebsd-questions@freebsd.org Subject: Re: sshd: buffer_get trying to get more bytes than in buffer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 10:23:26 -0000 --IiVenqGWf+H9Y6IX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 21, 2003 at 11:20:21AM +0300, Toomas Aas wrote: > Hello! >=20 > I've noticed that one of my users logging in via ssh from one particular = IP > always causes this message to appear in auth.log: >=20 > Apr 20 15:43:18 heerold sshd[18766]: fatal: buffer_get: trying to get mor= e bytes 4 than in buffer 0 >=20 > The same user logs in from several different IP-s and the message only > appears when he logs in from one particular IP. This leads me to believe > that it might be just a quirk in the SSH client software he uses on this > particular PC, but I just wanted to confirm that it's not actually an > indication of Something Evil in progress. In thses sort of cases it's always a good idea to cut'n'paste the error message into Google. Apart from turning up a worrying number of sites that have a binary of 'sftp-server' and other programs from the ssh package accessible on their websites, you'll find links to this e-mail: http://www.securityfocus.com/archive/121/261925/2002-03-08/2002-03-14/2 Looks like damage to the user's authorized_keys file: Cheers, Matthew=09 --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --IiVenqGWf+H9Y6IX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+o8aUdtESqEQa7a0RAms9AJ9q3QqvnFRCKvAowLNylRMPWvpykQCgklkt 8woqXJlUkSH5B5OdGa1YopE= =ZsI0 -----END PGP SIGNATURE----- --IiVenqGWf+H9Y6IX--