Date: Fri, 21 Sep 2001 17:52:28 +0400 (MSD) From: Maxim Kozin <madmax@express.ru> To: FreeBSD-Security@FreeBSD.ORG Subject: Re: login_conf vulnerability. Message-ID: <Pine.BSF.4.05.10109211744260.6837-100000@ds.express.ru> In-Reply-To: <20010921173502.A62350@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Sep 2001, Andrey A. Chernov wrote: > On Fri, Sep 21, 2001 at 14:19:37 +0100, Marc Rogers wrote: > > > > :copyright=/etc/master.passwd: > > It is SSH+LOGIN_CAP integration bug. SSH should call setusercontext() > before accessing "copyright" and "welcome" properties, as /usr/bin/login > does. I can't repeat bug on FreeBSD with OpenSSH_2.5.1p1. It's depend from "UseLogin" options in sshd_config ? (off by default) Must intruder run after edit .login_conf (be careful, not .login.conf !) "cap_mkdb .login_conf" ? For whith version OpenSSH exploit work ? b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10109211744260.6837-100000>