Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Encryption Security

The OpenSSH Bug That Wasn't 55

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.
This discussion has been archived. No new comments can be posted.

The OpenSSH Bug That Wasn't

Comments Filter:
  • Spoiler (Score:5, Informative)

    by bobstreo ( 1320787 ) on Friday July 24, 2015 @11:42PM (#50179657)

    According to the article, it's a bug in PAM.

    You shouldn't see this behaviour with SSH unless you have PAM authentication turned on. And apparently only in FreeBSD ?

      And as OpenBSD developer Marc Espie says in his message,

            Not surprisingly, as the patch clearly shows, the problem is right smack in the middle of USE_PAM code.

            I wouldn't call that an OpenSSH bug. I would call it a systemic design flaw in PAM. As usual. LOTS of security holes in authentication systems stem from PAM. Why ? Because that stuff is over designed. Difficult to configure. Gives you MORE than you need to hang yourself several times over. It's been that way for as long as I can remember.

    • by Anonymous Coward

      ... but still, if PAM is configured with OpenSSH, a PAM bug may sometimes be mis-identified to be an OpenSSH bug

      No matter if it's a PAM bug or an OpenSSH bug, a but report which points out a vulnerability is good thing for the community - something that will allow the users to tighten up their configuration to deny that bug from being able to function in the first place

      • Re: (Score:2, Funny)

        ... but still, if PAM is configured with OpenSSH, a PAM bug may sometimes be mis-identified to be an OpenSSH bug

        No matter if it's a PAM bug or an OpenSSH bug, a but report which points out a vulnerability is good thing for the community - something that will allow the users to tighten up their configuration to deny that bug from being able to function in the first place

        Does not parse.

        tl;dr Huh?

        • That's because your parser's broken.

          • That's because your parser's broken.

            No, my parser is fine. Your's matches your usename - that is just a pseudonym, right?

            ... but still, if PAM is configured with OpenSSH, a PAM bug may sometimes be mis-identified to be an OpenSSH bug

            Then it's not an OpenSSH bug. (and that's not English)

            No matter if it's a PAM bug or an OpenSSH bug, a but report which points out a vulnerability is good thing for the community

            (assuming the coward means "bug report"). No - it's a waste of limited resources. Big scare about an insecurity in OpenSSH which did not exist

            "King Cope" posted to the Full Disclosure mailing list Fri, 17 Jul 2015 21:23:36 +0000 (UTC) (according to my email system) with an exploit

            ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x
            10000'` targethost

            and "a patch for openssh-6.9p1 that will allow to use a wordlist and any passwords piped to the ssh process to be used in order to crack passwords remotely.". By applying the patch it allows an attacker to try as many attacks as possible within the gracetime (2 minutes). The best case scenario allows an estimated 10000 attempts in that time period.

            I only read it because he's usually good for a laugh, or, as is this case, a face-palm.

            Which might brute force a very short (stupid) password that would fall to a small, lucky, dictionary attack. Which is why BP is to use a key [mozilla.org].

            He mentions in that email that it has been "tested against a new FreeBSD 10.1 system and older FreeBSD versions such as version 6.2.".

            something that will allow the users to tighten up their configuration to deny that bug from being able to function in the first place

            Tighten up what? Their SSH configurations [marc.info]? It is a bug in PAM that is restricted to small range of BSD versions.
            Tightening up SSH, which is already as tight as it can be against the exploit unless you deliberately loosened it (as Sex Conker would recommend - but he's an idiot). Default configurations already stop the exploit (no root ssh login, all ssh logins with keys).

            The exploit would only affect insecure systems that use piss poor password security - and even then only on a limited number of BSD systems.

            That belief is a broken as the idea that if there's a story a cigarette lighter exploded, which causes a panic about cigarette lighters, and calls for a recall of them - turns out to be a case of someone in petrol soaked pants being injured when the cigarette lighter in their pocket exploded as a result of them falling out of a building and landing on their arse. Unfortunately they had a box of matches in the back pocket which exploded on impact, setting fire to their pants - the heat of the flames caused the cigarette lighter to explode.

            The moral of the story is not - oh the panic about cigarette lighters exploding was a good thing.
            It would have been a "good thing" if that energy was spent on warning people of the dangers of wearing petrol pants and falling out of windows.

            It would be a "good thing" if people focused on the actual bug in PAM instead of trying to justify their earlier panic (the sky is not falling).

            The coward that wrote that gibberish you're defending , who is obviously not you, is referring to what bug report?Hint: there was none, just another of King Cope's self-promoting and inflated security exploits (he also thinks robots.txt is a security hole). You fell for it, get over it.

    • Re:Spoiler (Score:4, Interesting)

      by Forever Wondering ( 2506940 ) on Saturday July 25, 2015 @12:11AM (#50179743)

      I just tested this (I've got UsePAM yes in sshd_config) on fedora 21 and I only get three tries before disconnect. So, what's special about freebsd?

      • by Anonymous Coward

        Different PAM settings, different /bin/login, different sshd_config settings, different defaults of SSH version versus versoin 2? Who knows?

      • Okay, just answered my own question. I also had "ChallengeResponseAuthentication no" in my sshd_config. When I changed this to "yes", I was able to reproduce the bug. In the original article, I had done a /. post with a link to a redhat page explaining why they used "no" and it is because of keyboard interactive [which tracks CRA].

        My original slashdot post, with additional security I use and the logging of script kiddies I've been doing for years: http://slashdot.org/comments.p... [slashdot.org]

        The redhat page: https: [redhat.com]

    • by pavon ( 30274 ) on Saturday July 25, 2015 @12:33AM (#50179805)

      It is a bug in OpenSSH misusing PAM. They argue that these sorts of bugs wouldn't be as easy to make if PAM was less complicated, which is certainly true, but it is still a bug in OpenSSH.

      • by Anonymous Coward

        It is a bug in OpenSSH misusing PAM. They argue that these sorts of bugs wouldn't be as easy to make if PAM was less complicated, which is certainly true, but it is still a bug in OpenSSH.

        Prove it. Cite the relevant code. Otherwise, you have no defensible position.

        Marc Espie said the error exists in FreeBSD's PAM implementation. A Slashdot comment that predates your own indicates that enabling PAM support in OpenSSH on Fedora still limits to three login attempts, thus implying the problem does lie with FreeBSD's PAM implementation.

        On the other hand, you merely have a bald assertion unsupported by evidence.

        Even absent the anecdotal evidence against your assertion, I'll believe an OpenBSD deve

        • by Shimbo ( 100005 )

          It is a bug in OpenSSH misusing PAM. They argue that these sorts of bugs wouldn't be as easy to make if PAM was less complicated, which is certainly true, but it is still a bug in OpenSSH.

          Prove it. Cite the relevant code.

          He doesn't need to: Marc Espie already did.

        • by Raenex ( 947668 )

          Marc Espie said the error exists in FreeBSD's PAM implementation.

          Marc Espie's post, linked from the article: http://marc.info/?l=openbsd-mi... [marc.info]

          "Okay, let's admit that the *portable* version of openssh wasn't programmed in a way that's paranoid enough about the failure modes of pam."

          Lots of hemming and hawing about how PAM sucks and is easy to screw up, and maybe it is, but the bug still exists in OpenSSH code and that's where it was patched:

          https://anongit.mindrot.org/op... [mindrot.org]

      • by Cramer ( 69040 )

        Actually, it's an issue with OpenSSH's blind acceptance of a user supplied device list. The PoC uses "PAM", but any valid device can be used. (hint: PAM isn't the only one.) There's an additional bug in that the code ignores ("overrides") KbdInteractiveAuthentication no -- if I put that in my config, it should be off, PERIOD, anything that requires it is disabled as well.

    • by Anonymous Coward

      Yay! The BSDs are still better than the Linux/SYSV variants (due to PAM being mainly used on Linux).

      • by Anonymous Coward

        Both FreeBSD and NetBSD use PAM. Sadly, only OpenBSD uses the BSDAuth framework.

    • According to the article, it's a bug in PAM.

      Then the article (which I wouldn't bother to read) is misleading.

      The bug is inside openssh proper. This is how they fixed it:

      http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42&r2=1.43&f=h [openbsd.org]

      Basically, OpenSSH was accepting a list of 'keyboard interactive devices' where the same device apeared thousands of times, completely bypassing the MaxAuthTries setting from sshd_config (default 6).

      This is well explained in king

    • Fred Brooks pointed out that integrating your code with other systems is one of the most intractable problems of software development. Not only does it increase the time for development dramatically (which he pointed out in the first chapter of MMM), it is also necessary to understand the behavior of both sides extremely well.

      Although the OpenBSD team is very good at avoiding bugs, it is not surprising that a vuln would show up here, on a system boundary like this.
  • by Sowelu ( 713889 ) on Saturday July 25, 2015 @12:24AM (#50179779)

    I love the attitude of one of the anon commenters: if you don't know enough to configure every single security option on your system right out of the box, you shouldn't have your *nix machine hooked up to the internet. Truly, this is the year of *nix on the desktop.

    • by Anonymous Coward

      I love the attitude of one of the anon commenters: if you don't know enough to configure every single security option on your system right out of the box, you shouldn't have your *nix machine hooked up to the internet. Truly, this is the year of *nix on the desktop.

      Firstly, disabling password-only auth (for keys) is one of the very basic security rules for a good SSH config. You'll find it in nearly every tutorial, along with disabling root logins. It definitely isn't obscure, as you suggest, and yields hundreds of thousands of search results (for guides, blogs, wikis, etc.)

      Secondly, he talks about the "open internet". As in, a server accessible to (attackable by) anyone and everyone. This has nothing to do with the desktop. Stop trying to twist it into an argument ag

      • disabling root logins has no security benefit at all. Keep the keys secure, everything is fine. In some cases there is a small benefit, but in most there is none.

        • by Anonymous Coward

          disabling root logins has no security benefit at all. Keep the keys secure, everything is fine. In some cases there is a small benefit, but in most there is none.

          Disabling remote root logins multiplies the attempts needed to break in which can be detected and banned. You'd have to guess usernames too if it weren't for an allowed remote root login in many linux distros. Debian only changed the default in their latest release for example.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Explain to me how having to guess a username AND a password during a bruteforce attempt is the same as already knowing and being able to log in as a uid=0 user (root) and just having to bruteforce the password.
          "No security benefit at all" != makes my life more difficult because I have to learn how to use su and leave audit trails and unique users in my sloppy throwing code around developer life.

          • by TCM ( 130219 )

            Simple, the username is to be considered public knowledge. It's visible when entering it everywhere, it may be in ~/.ssh/config, it's not a secret.

            Just assume the whole world knows it already. All strength must come from the password either way, so don't even start to treat the username as some sort of secret.

            • by DarkOx ( 621550 ) on Saturday July 25, 2015 @08:19AM (#50180563) Journal

              Generally I agree but if you are going to brute force knowing the user names are half the battle. root is one you know will be there and its a valuable one if you could get it.

              I never try and brute force passwords on pentests. I usually brute force user names with a handful of bad passwords. That is once I work out how user names are constructed fist letter first name last name or whatever is being used. I'll dictionary like this:

              asmith:password1
              asmith:P@$$w0rd
              asmith:Summer2015!
              bsmith:password1
              bsmith:P@$$w0rd
              bsmith:Summer2015!

              If the organization is big enough someone has used one of the top 100 worst passwords. Hopefully its not a sysadmin.

              Then it comes the issue of the root account being shared. No nobody should ever be allowed to logon as root directly. Why because than you have no accountability. Was it Jim, Bob, Ted, or Sally who did that? I don't know. On the other hand if you have some kind of secure logging in place and you make people logon with their own account you at least have the log entry of who did sudo or su. Attribution is important!

              Finally if Bob leaves the company yes the root password needs to be changed. Sometimes though there are reasons you can't immediately do that. Usually these are problems in and of themselves but that is neither here nor there. It should be safe to disable or delete Bobs account the moment he walks out the door. If root logins are not allowed you will be 'mostly' even if it takes Sally a few days to change the root password everywhere.

        • by dbIII ( 701233 ) on Saturday July 25, 2015 @05:24AM (#50180247)

          disabling root logins has no security benefit at al

          Of course it does. That former employee that knows the root password or has the keys can't get to it. The current employee that fat fingers a command to the wrong host can't do much damage. That thief with a stolen laptop can't use a key to get full access remotely. There is a very very long list and it's just inexperience, laziness or lack of sleep that's stopping you from thinking of entries in it.

          • by sjames ( 1099 )

            Set PermitRootLogin without-password

            Then control access with authorized_keys. If someone leaves, remove his key from authorized_keys.

            Next step, laugh at the 'hackers' wasting all that effort trying to guess the root password.

            • You didn't get far in reading my post above - "That thief with a stolen laptop can't use a key to get full access remotely" was mentioned, but maybe I should add another. The tiny amount of extra effort required by disabling root logins covers a lot of possibilities. I've gained access to a former workplace as much as three years after leaving by running the wrong old script - whoops! That human intervention of cancelling accounts depends on things like those HR people talking to IT people (Eloi vs Moorl
              • by sjames ( 1099 )

                If HR fails to notify IT to remove an account for someone who has access to root in any way, the same problem happens. That's why I leave it accessible through RSA authentication.

                That same old script would have worked if you used sudo or an IP KVM.

                • by dbIII ( 701233 )
                  That's one of the reasons I don't use sudo on internet facing machines or have a KVM exposed to the internet, but that's another story.
                  To sum up I just have the opinion that one step root access from out on the internet is an accident waiting to happen - especially if you are likely to log on from anywhere and not a known trusted address.
                  • by sjames ( 1099 )

                    Really, it depends on the environment. If you have servers in a lights out environment rather than 24/7 on-site staff, less moving parts is good.

                    It's a shame if where you are asking HR to do all of their job is too much, especially with employees identified as security sensitive.

                    If the machine normally doesn't need to allow ssh, you can always choke it down to a pair of very reliable admin servers (Perhaps atom based systems with no moving parts) that authorized users can use as a jumping off point using th

          • That former employee that knows the root password or has the keys can't get to it.

            Make a good policy, no passwords, only keys, and every employee has one. Then you only have to delete the keys from all boxes, if an employee leaves, done. You will however have to use custom tools for logging, because ssh does only log the key if at VERBOSE loglevel, which you usually don't want.

            The current employee that fat fingers a command to the wrong host can't do much damage.

            That is, I agree, more likely possible. However if an employee has to do "sudo" all the time, they just start turning their brain off while doing it. Too much "are you sure" harms too.

            That thief with a stolen laptop can't use a key to get full access remotely.

            If you require your employees to encrypt their keys with a passphrase, which you should do, then this isn't an issue.

            • by dbIII ( 701233 )

              Make a good policy, no passwords, only keys, and every employee has one.

              And that laptop thief that is going to get an employees machine eventually is going to have one click access to root on your server - now that's a major fuckup isn't it?

              However if an employee has to do "sudo" all the time, they just start turning their brain off while doing it.

              I prefer "su" so as to keep things entirely separate although others swear by "sudo" for user tracking - either way if they can't keep track of context they shoul

        • by Anonymous Coward

          found the guy who relies on root logins for hax

    • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Saturday July 25, 2015 @03:22AM (#50180073) Homepage

      That's very true, and doesn't just apply to unix based systems... You should not be connecting a system to a public network unless you fully understand and control it, and windows is actually much worse in this regard because its massively more complicated than any unix.

  • by El_Muerte_TDS ( 592157 ) on Saturday July 25, 2015 @01:23AM (#50179899) Homepage

    > fixing the configuration is trivial

    So trivial that the suggested configuration change is not mentioned anywhere.

    • by CRC'99 ( 96526 )

      > fixing the configuration is trivial

      So trivial that the suggested configuration change is not mentioned anywhere.

      Just like a useful description of the problem.... Obscure news is obscure.

    • > fixing the configuration is trivial

      So trivial that the suggested configuration change is not mentioned anywhere.

      Where did you look? The summary - or your closet? If you don't run FreeBSD you don't have to change anything. If you do - try reading the referenced article. Though if you need to be told the bleeding obvious that won't fix your problem.

      • by arth1 ( 260657 )

        The article does not specify what configuration changes are needed to get the flaw to appear or disappear.
        It references a code patch, which is a completely different thing.

        And from what I can tell, non-BSD systems are vulnerable too - as long as you don't use the default configuration. If you do, you probably should wait for vendor patches anyhow, and are safe while you wait...

        • The article does not specify what configuration changes are needed to get the flaw to appear or disappear.

          Agreed. It's a crap summary. The blog post it references is worth reading - as does the BSD list thread I quoted earlier. The many "news" stories, and the reddit thread are not.

          It references a code patch, which is a completely different thing.

          And from what I can tell, non-BSD systems are vulnerable too - as long as you don't use the default configuration. If you do, you probably should wait for vendor patches anyhow, and are safe while you wait...

          It doesn't affect non-BSD systems. It only affects a small number of BSD systems. And in those instances only if the sysadmin does not follow best practices (they'd have to disable default configurations, and then use a stupid password).

  • by Anonymous Coward

    I think that sentence right there is far beyond the scope of today's bloggers playing reporters.

  • Get your facts straight before reporting

    To whom may I address this invoice for a new keyboard?

This restaurant was advertising breakfast any time. So I ordered french toast in the renaissance. - Steven Wright, comedian

Working...