Package: openssh-server Version: 1:5.8p1-7 Severity: important
openssh-server doesn't check if user's shell is listed in /etc/shells. This is a potencional security hole. If somebody removes user's shell from /etc/passwd, sshd permits login to the user with shell /bin/sh. This is an insecure behaviour of openssh on Debian. Others systems may be affected too. # ssh -l rajo localhost rajo@localhost's password: Last login: Fri Aug 26 02:28:05 2011 from localhost $ id uid=1000(rajo) gid=1000(rajo) groups=1000(rajo) $ getent passwd rajo rajo:x:1000:1000:Lubomir Host,,,:/home/rajo: $ ps PID TTY TIME CMD 5243 pts/8 00:00:00 sh 5372 pts/8 00:00:00 ps FIX: add the following line to /etc/pam.d/common-auth # Check /etc/shells on login account required pam_shells.so Check the system: # ssh -l rajo localhost -p 22 rajo@localhost's password: Connection closed by 127.0.0.1 This is a correct (secure) behaviour. Best regards, Lubomir Host -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores) Locale: LANG=sk_SK, LC_CTYPE=sk_SK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-server depends on: ii adduser 3.113 add and remove users and groups ii debconf [debconf-2 1.5.41 Debian configuration management sy ii dpkg 1.16.0.3 Debian package management system ii libc6 2.13-17 Embedded GNU C Library: Shared lib ii libcomerr2 1.42~WIP-2011-07-02-1 common error description library ii libgssapi-krb5-2 1.9.1+dfsg-2 MIT Kerberos runtime libraries - k ii libkrb5-3 1.9.1+dfsg-2 MIT Kerberos runtime libraries ii libpam-modules 1.1.3-2 Pluggable Authentication Modules f ii libpam-runtime 1.1.3-2 Runtime support for the PAM librar ii libpam0g 1.1.3-2 Pluggable Authentication Modules l ii libselinux1 2.0.98-1.1 SELinux runtime shared libraries ii libssl1.0.0 1.0.0d-3 SSL shared libraries ii libwrap0 7.6.q-21 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-27 Linux Standard Base 3.2 init scrip ii openssh-client 1:5.8p1-7 secure shell (SSH) client, for sec ii procps 1:3.2.8-11 /proc file system utilities ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages openssh-server recommends: ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op ii xauth 1:1.0.6-1 X authentication utility Versions of packages openssh-server suggests: pn molly-guard <none> (no description available) pn monkeysphere <none> (no description available) pn rssh <none> (no description available) ii ssh-askpass 1:1.2.4.1-9 under X, asks user for a passphras pn ufw <none> (no description available) -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
